Back to Splunk Core Certified Power User SPLK-1003 questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Splunk Core Certified Power User SPLK-1003 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

14
scenario questions
SPLK-1003
exam code
Splunk
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SPLK-1003 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

A Splunk administrator is troubleshooting a slow search that uses the transaction command. The search correlates events by 'user_uuid' with a maxspan of 1 hour. The administrator suspects that many orphan events (events that never complete a transaction) are causing performance issues. Which approach can help identify and possibly exclude orphan events from the transaction?

Question 2mediummulti select
Full question →

A Splunk administrator is troubleshooting a search that uses the `transaction` command. The search is taking too long to complete and returning incomplete results. Which TWO changes are most likely to improve performance and accuracy of transaction searches? (Choose TWO.)

Question 3hardmultiple choice
Full question →

A search `index=main | eval weekday=strftime(_time,"%A") | stats count by weekday | sort - count` shows that Monday has the highest count. However, the user suspects that Monday data is double-counted due to timezone offset. What should be done to investigate?

Question 4mediummultiple choice
Full question →

A Splunk administrator is troubleshooting a slow dashboard that uses a timechart with a large dataset. Which of the following is a best practice to improve performance?

Question 5hardmultiple choice
Review the full subnetting walkthrough →

Refer to the exhibit. An administrator is configuring a CIDR match lookup for geo-IP. The lookup is not working. What is most likely the issue?

Exhibit

[transform:geo_ip]
filename = GeoLiteCity.dat
max_matches = 1
[match_type = cidr
Question 6hardmulti select
Full question →

An admin is troubleshooting a saved search that uses the `| `my_macro` command. The macro definition is `stats count by $1$`. The saved search is scheduled to run hourly. Which of the following issues could cause the saved search to fail? (Choose three.)

Question 7mediummultiple choice
Full question →

An admin notices that a saved search with a scheduled alert is not triggering as expected even though the search returns results. The search uses a macro with arguments. Which troubleshooting step should the admin take first?

Question 8hardmultiple choice
Full question →

A user defined a macro that includes a lookup command. The macro works correctly in ad-hoc searches. However, when the macro is used in a scheduled saved search, the macro fails to expand. Administration confirms the macro is shared globally. What is the most likely cause of this failure?

Question 9hardmultiple choice
Full question →

A security team uses the CIM 'Authentication' data model to investigate failed logins. They have enabled acceleration on the data model and set a summary range of '1d'. After one week, searches against the data model are still slow and use the `search` command instead of `tstats`. What should they check first?

Question 10easymultiple choice
Full question →

A user reports that a macro named `my_macro` is not working in a search. The macro is defined with no arguments and uses a simple search string. What is the most likely issue?

Question 11hardmultiple choice
Full question →

A Splunk admin is troubleshooting a transaction that groups firewall allow and deny events by session ID. The transaction should end when a deny event occurs for that session. Which transaction option should be used to define the end condition?

Question 12hardmultiple choice
Full question →

A Splunk administrator is troubleshooting a search that uses the transaction command to group login and logout events. The search runs but returns no results even though both types of events exist. The events are separated by at most 5 minutes. The current transaction command is:

`index=auth (action=login OR action=logout) | transaction action maxspan=10m maxpause=2s`

What is the most likely cause?

Question 13easymultiple choice
Full question →

The security operations center (SOC) team at a medium-sized enterprise uses Splunk to investigate potential threats. They maintain a CSV lookup file named 'threat_intel.csv' that contains a list of known malicious IP addresses along with a threat score. The lookup is configured in transforms.conf as:

[threat_intel]

filename = threat_intel.csv match_type = WILDCARD(ip)

They frequently run the following search to enrich firewall events with threat scores:

index=firewall sourcetype=firewall_logs | lookup threat_intel src_ip OUTPUT threat_score | where threat_score > 5

Recently, analysts noticed that some IP addresses known to be present in the lookup file are not being matched in search results. They have verified that the lookup file is correctly formatted and contains those IPs, and the transforms.conf has not been altered. They also confirmed that the events contain the field src_ip with the correct IP addresses. Which of the following is the most likely cause of the missing matches?

Question 14mediummultiple choice
Full question →

A large e-commerce company uses Splunk to monitor its web application performance. The application logs every HTTP request with fields: `transaction_id`, `url`, `response_time_ms`, `status`. Currently, the team uses the following search to identify slow page loads:

`index=web sourcetype=access_combined | transaction transaction_id maxspan=60s | eval total_time = sum(response_time_ms) | where total_time > 5000`

However, the search returns no results even though there are known slow pages. The team verified that logs contain `transaction_id` values and that some pages take over 10 seconds. What is the most likely reason the search fails to identify slow pages?

These SPLK-1003 practice questions are part of Courseiva's free Splunk certification practice question bank. Courseiva provides original exam-style SPLK-1003 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.