Back to Splunk Core Certified Power User SPLK-1003 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Splunk Core Certified Power User SPLK-1003 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SPLK-1003
exam code
Splunk
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related SPLK-1003 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

Refer to the exhibit. The search aims to detect brute-force attacks where there are at least 2 failed logins followed by a successful login from the same source IP within 5 minutes. However, the search returns no results even though such attacks exist. What is the most likely error in the search logic?

Exhibit

Refer to the exhibit.
```
index=main sourcetype=linux_secure
| eval stage=case(
    like(_raw,"%Failed password%"),"failed",
    like(_raw,"%Accepted password%"),"success")
| transaction src maxspan=5m
| search stage="*"
| eval attack=if(mvcount(stage)>2 AND mvcount(stage)>=2 AND mvfind(stage,"failed")!=-1 AND mvfind(stage,"success")!=-1,"yes","no")
| where attack="yes"
```
Question 2mediummultiple choice
Full question →

Refer to the exhibit. A security analyst runs this search to group SSH login events into sessions based on a session_id that is extracted only from 'Accepted publickey' events. However, the resulting transactions contain only the 'Accepted publickey' event and none of the subsequent commands or logouts. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
index=security sourcetype=linux_secure
| eval session_id=if(like(_raw,"Accepted publickey"), _raw, null())
| transaction session_id maxpause=5m
| table _time, session_id, duration
```
Question 3easymultiple choice
Full question →

The exhibit shows a search that reads a lookup file. Which of the following must be true for this search to work correctly?

Exhibit

Refer to the exhibit.

| inputlookup server_status.csv
| where status="down"
| stats count by location
| sort - count
Question 4mediummultiple choice
Full question →

The exhibit shows an error when using a lookup. What is the most likely missing configuration?

Exhibit

Refer to the exhibit.

Error in search: 
"The lookup table 'department_lookup' does not exist."

The admin verifies that department_lookup.csv is present in the lookups directory. Which additional step is required?
Question 5easymultiple choice
Full question →

Refer to the exhibit. A Splunk user runs the search shown. The search returns results, but the user notices that some clientip values appear multiple times in the stats output, even though they should have been grouped into a single transaction. What is the most likely reason for this?

Exhibit

Refer to the exhibit.

```
index=main sourcetype=access_combined
| transaction clientip maxspan=30m maxevents=5
| stats count by clientip
```
Question 6mediummultiple choice
Full question →

Refer to the exhibit. The search is intended to count the number of clients who made more than 3 HTTP requests within any 30-minute window. However, the results are unexpectedly high. What is the most likely reason?

Exhibit

Refer to the exhibit.
```
sourcetype=access_combined | transaction clientip maxspan=30m | where mvcount(method) > 3 | stats count by clientip
```
Question 7mediummultiple choice
Full question →

Refer to the exhibit. An analyst executes the following search: `| filter_status(status_code=500)`. What will be the result?

Exhibit

[filter_status]
args = status_code
definition = search index=web status=$arg1$ | stats count by status
Question 8hardmultiple choice
Full question →

Refer to the exhibit. The search is taking very long and returning few results. Which change would most improve performance?

Exhibit

index=security sourcetype=firewall | eval src_ip=if(isnull(src_ip), nat_ip, src_ip) | transaction src_ip, dest_port maxspan=5m maxpause=1m | search eventcount>10 | table src_ip, dest_port, duration, eventcount
Question 9hardmultiple choice
Full question →

Refer to the exhibit. The search above returns no results for api_version. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
index=main sourcetype=access_combined | rex field=uri_path "/api/(?<api_version>v[0-9]+)/.*" | stats count by api_version
```
Question 10mediummultiple choice
Full question →

Refer to the exhibit. This search is intended to find users with average duration above overall average. However, it returns no results. Why?

Exhibit

| eventstats avg(duration) as overall_avg
| stats avg(duration) as user_avg by user
| where user_avg > overall_avg
Question 11hardmultiple choice
Full question →

Refer to the exhibit. What is the most likely cause of this error?

Exhibit

Search command:
| inputlookup geo_lookup
| search src_ip="10.0.0.1"
| table src_ip, city, country

Error: "Error in 'inputlookup' command: Could not find lookup table 'geo_lookup'"
Question 12mediummultiple choice
Full question →

Refer to the exhibit. When a source IP does not match any entry in geo.csv, what values will be added to the event?

Exhibit

[mysourcetype]
LOOKUP-geo = geo_lookup src_ip OUTPUTNEW city, country

[geo_lookup]
filename = geo.csv
max_matches = 1
default_match = NotFound
match_type = CIDR(src_ip)
Question 13hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. An administrator is configuring a CIDR match lookup for geo-IP. The lookup is not working. What is most likely the issue?

Exhibit

[transform:geo_ip]
filename = GeoLiteCity.dat
max_matches = 1
[match_type = cidr
Question 14mediummultiple choice
Full question →

Refer to the exhibit. What happens when a user clicks on a status value in the table?

Exhibit

<dashboard>
  <table>
    <search>
      <query>index=web sourcetype=access | stats count by status</query>
    </search>
    <drilldown>
      <condition field="status">
        <set token="selected_status">$click.value$</set>
      </condition>
    </drilldown>
  </table>
  <chart depends="$selected_status$">
    <search>
      <query>index=web sourcetype=access status=$selected_status$ | timechart count by method</query>
    </search>
  </chart>
</dashboard>
Question 15mediummultiple choice
Full question →

Refer to the exhibit. A user runs this search expecting to see the top 5 departments by count, but the results show all departments. What is the error?

Exhibit

| inputlookup employee_data.csv
| stats count by department
| sort - count
| top limit=5 department

These SPLK-1003 practice questions are part of Courseiva's free Splunk certification practice question bank. Courseiva provides original exam-style SPLK-1003 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.