Back to Splunk Core Certified Power User SPLK-1003 questions

Scenario-based practice

Hard Difficulty Questions

Practise Splunk Core Certified Power User SPLK-1003 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
SPLK-1003
exam code
Splunk
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SPLK-1003 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmulti select
Full question →

Which TWO of the following are valid reasons to use the Common Information Model (CIM) in a Splunk environment?

Question 2hardmultiple choice
Full question →

A Splunk admin wants to track the number of unique users who accessed a system each hour over the past 24 hours. Which search provides the correct result?

Question 3hardmultiple choice
Full question →

An engineer runs `| inputlookup asset_lookup.csv | table asset_id asset_name` and gets no results despite the file existing in $SPLUNK_HOME/etc/apps/search/lookups/. The lookup definition is correctly configured. What is the MOST likely cause?

Question 4hardmultiple choice
Full question →

A dashboard uses a timechart to show CPU usage over 24 hours. The time range selector is set to 'Last 7 days'. The chart displays data only for the last 24 hours. Which visualization setting is MOST likely causing this?

Question 5hardmultiple choice
Full question →

A Splunk admin notices that a time-based lookup (defined in transforms.conf with time_range=TRUE) is not returning correct results for events outside the lookup's time boundaries. The lookup file contains rows with a valid time range. What is the most likely cause?

Question 6hardmulti select
Full question →

Which THREE of the following are best practices when using lookups in Splunk?

Question 7hardmultiple choice
Full question →

A Splunk administrator notices that the 'transaction' command is consuming excessive memory when processing a large dataset. The dataset contains events with a common field 'user_id', and the goal is to group events per user within 1 hour. Which approach would best reduce memory usage while still achieving the desired correlation?

Question 8hardmultiple choice
Read the full NAT/PAT explanation →

A security team wants to detect a multi-step attack pattern: a user logs in from a new IP address, then within 10 minutes performs a privilege escalation, and finally accesses a sensitive file. They have events with fields: user, ip, action, and timestamp. Which SPL transaction statement should they use to group these three events into one transaction, ensuring all three actions occur in order?

Question 9hardmultiple choice
Full question →

An organization has a transaction that groups firewall events by source IP to detect port scans. The transaction uses `maxpause=1m`. Some valid scans are being missed because events occasionally have gaps longer than 1 minute due to network latency. Which change would best capture these scans without introducing too many false positives?

Question 10hardmultiple choice
Full question →

Refer to the exhibit. The search aims to detect brute-force attacks where there are at least 2 failed logins followed by a successful login from the same source IP within 5 minutes. However, the search returns no results even though such attacks exist. What is the most likely error in the search logic?

Exhibit

Refer to the exhibit.
```
index=main sourcetype=linux_secure
| eval stage=case(
    like(_raw,"%Failed password%"),"failed",
    like(_raw,"%Accepted password%"),"success")
| transaction src maxspan=5m
| search stage="*"
| eval attack=if(mvcount(stage)>2 AND mvcount(stage)>=2 AND mvfind(stage,"failed")!=-1 AND mvfind(stage,"success")!=-1,"yes","no")
| where attack="yes"
```
Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A financial services company uses Splunk to detect fraudulent transactions. Each transaction event has fields: `user_id`, `amount`, `merchant`, `timestamp`. The fraud detection team wants to identify users who make multiple small transactions (under $50) totaling over $200 within a 1-hour window, which may indicate testing stolen credit cards. They write the following search:

`index=transactions sourcetype=payment amount<50 | transaction user_id maxspan=1h | where sum(amount) > 200`

This search runs but returns no results, even though manual inspection shows users with such patterns. What is the primary reason the search fails?

Question 12hardmultiple choice
Full question →

A Splunk administrator runs the following search to identify the top 5 users by total bytes transferred:

index=proxy sourcetype=webproxy | stats sum(bytes) as total_bytes by user | sort - total_bytes | head 5

The search returns results, but the numbers seem inflated. On closer inspection, the 'bytes' field is a string type. What must be done to correct the search?

Question 13hardmultiple choice
Full question →

A Splunk administrator runs the following search and notices that the results include events where the 'status' field is 200 or 404, but also includes events where the 'status' field is missing. What is the most efficient way to modify the search to exclude events where the 'status' field does not exist?

Question 14hardmultiple choice
Full question →

A search returns events with fields 'user', 'action', and 'count'. The analyst wants to create a timechart showing the number of distinct users performing 'login' actions per hour. Which search is correct?

Question 15hardmultiple choice
Full question →

A Splunk admin notices that a saved search scheduled to run every 10 minutes is consistently taking 15 minutes to complete, causing overlapping runs. The search aggregates data across multiple indexes and uses a large time window. What is the best way to prevent overlap and ensure the search completes?

Question 16hardmultiple choice
Full question →

A Splunk administrator notices that a scheduled saved search `Daily Summary` fails every day at 2:00 AM with the error "Search job expired due to inactivity." The search runs against a large index and takes about 30 minutes to complete. What is the most likely cause?

Question 17hardmulti select
Full question →

Which TWO of the following are valid ways to reference a macro in a search?

Question 18hardmulti select
Full question →

Which THREE are best practices for creating lookups in Splunk?

Question 19hardmultiple choice
Full question →

An organization uses Splunk CIM to normalize data from multiple sources. They have a custom data source that logs firewall events with a field 'action' containing values 'accept', 'deny', 'drop'. They want to map this to the CIM field 'action'. Which configuration is required?

Question 20hardmultiple choice
Full question →

A Splunk admin notices that a scheduled search using inputlookup is returning inconsistent results. The lookup file is stored on the search head and is updated via a script every 15 minutes. What is the most likely cause of the inconsistency?

These SPLK-1003 practice questions are part of Courseiva's free Splunk certification practice question bank. Courseiva provides original exam-style SPLK-1003 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.