CCNA Advanced Viz Lookups Questions

75 of 127 questions · Page 1/2 · Advanced Viz Lookups topic · Answers revealed

1
MCQeasy

The exhibit shows a search that reads a lookup file. Which of the following must be true for this search to work correctly?

A.The lookup must be defined in transforms.conf
B.The lookup file must be stored on the indexer
C.The file must be in the default lookup directory
D.The file server_status.csv must be in the $SPLUNK_HOME/etc/apps/search/lookups directory
AnswerA

inputlookup requires a lookup definition in transforms.conf.

Why this answer

For a lookup to work in a Splunk search, it must be defined in transforms.conf. This configuration file specifies the lookup type (e.g., file-based, KV-store, external), the filename, the field mapping, and other parameters. Without this definition, Splunk cannot resolve the lookup command or the lookup table reference in the search string, even if the file exists on disk.

Exam trap

The trap here is that candidates often assume the lookup file just needs to exist on disk (options B, C, D), but Splunk requires the explicit transforms.conf definition to map the lookup name to the file and fields.

How to eliminate wrong answers

Option B is wrong because lookup files are stored on the search head, not the indexer; indexers handle data indexing and search, but lookups are resolved on the search head. Option C is wrong because the lookup file does not have to be in the default lookup directory; it can be in any directory specified by the 'filename' parameter in transforms.conf, as long as Splunk has read access. Option D is wrong because the file does not have to be in the $SPLUNK_HOME/etc/apps/search/lookups directory; it can be in any app's lookups subdirectory (e.g., $SPLUNK_HOME/etc/apps/myapp/lookups) as long as the transforms.conf in that app references it correctly.

2
MCQeasy

You are a Splunk administrator at a large e-commerce company with over 5,000 employees and millions of customers. The development team has created a dashboard that displays sales data by region, using a lookup table to map customer IDs to region names. The lookup file, 'customer_region.csv', is stored on the search head. Recently, the lookup table was updated with new customer IDs, but the dashboard continues to show old region names for new customers. You have verified that the lookup file contains the new mappings and that the file is correctly formatted. The dashboard uses the 'lookup' command in its base search. You have also confirmed that the lookup definition in transforms.conf points to the correct file. The lookup file is approximately 100 MB and is updated weekly. The dashboard is accessed by multiple users across the organization. The issue only affects new customers added in the latest update. Old customers still show correct regions. You have checked the file size and timestamp, and the new file is present. The Splunk version is 8.2. The search head is not clustered. No errors are appearing in the splunkd.log related to lookups. The dashboard uses a simple XML with a timechart and a lookup. The search string is: index=sales sourcetype=transactions | lookup customer_region.csv customer_id OUTPUT region | timechart count by region. You have also tried restarting the search head, but the issue persists. What is the most likely cause?

A.The lookup definition has 'batch_index_query=True' and is not refreshing.
B.The dashboard is using the wrong lookup name.
C.The lookup file is cached and needs to be reloaded by restarting Splunk.
D.The search head is using a cached version of the lookup, and you need to clear the lookups cache.
AnswerD

Clearing cache reloads the file.

Why this answer

Option B is correct because the lookup file is cached on the search head, and clearing the cache forces reload. Option A is wrong because restarting is unnecessary. Option C is wrong because batch_index_query is not relevant.

Option D is wrong because the file is correct.

3
MCQeasy

An analyst needs to add a field called 'Region' to events based on a lookup table that maps 'StoreID' to 'Region'. The lookup table is defined in transforms.conf as a CSV lookup. Which command should be used in the search to perform this enrichment?

A.inputlookp
B.outputlookp
C.table
D.lookup
AnswerD

lookup matches fields and adds output fields to events.

Why this answer

The lookup command enriches events with fields from a lookup table. inputlookp reads a lookup as results, outputlookp writes events to a lookup, others are irrelevant.

4
MCQhard

A dashboard uses a drop-down input to select a server. The drop-down is populated by a search that returns server names. Which setting ensures that the drop-down updates automatically when the underlying data changes?

A.Set the 'delay' option
B.Change the 'refresh' setting on the input
C.Use a token filter
D.Enable 'search on change'
AnswerB

Refresh re-executes the search at a specified interval, updating the drop-down.

Why this answer

The 'refresh' setting on the input causes the search that populates the drop-down to re-run at intervals, keeping the list current. Token filters, delay, or 'search on change' do not provide automatic periodic updates.

5
MCQeasy

A security analyst wants to visualize the count of login failures by source IP over the last 24 hours, but only for IPs with more than 10 failures. Which visualization type and SPL command combination is most appropriate?

A.Line chart with | top limit=10 showcount=1 by src_ip
B.Column chart with | stats count by src_ip | where count > 10
C.Scatter plot with | stats dc(src_ip) by failure
D.Pie chart with | chart count over src_ip | where count > 10
AnswerB

Correctly uses stats to count, filters, and column chart for comparison.

Why this answer

Option B is correct because it uses `stats count by src_ip` to aggregate login failures per source IP, then `where count > 10` to filter only IPs exceeding 10 failures, and a column chart is ideal for comparing discrete counts across categories (IP addresses). This combination directly answers the requirement: visualize count of failures by IP, with a threshold filter applied after aggregation.

Exam trap

The trap here is that candidates often confuse `top` with a threshold filter or misuse `chart` with incorrect syntax, thinking it can replace `stats` for aggregation, or they choose a visualization type (like scatter or pie) that is inappropriate for comparing counts across many categories.

How to eliminate wrong answers

Option A is wrong because `| top limit=10 showcount=1 by src_ip` returns the top 10 IPs by count, but it does not allow filtering for IPs with more than 10 failures (it only limits to 10 results, not a threshold). Option C is wrong because a scatter plot is used for two continuous variables, not for comparing counts of a single categorical field, and `stats dc(src_ip) by failure` counts distinct source IPs per failure count, which does not produce the required per-IP failure counts. Option D is wrong because `| chart count over src_ip` is invalid syntax (should be `chart count by src_ip`), and a pie chart is poor for comparing many categories; additionally, `where count > 10` cannot be applied after `chart` without a preceding `stats` or `eventstats`.

6
MCQeasy

A user wants to join data from two datasets in a search. Which command is used to combine results based on a common field, but only returns matching results?

A.append
B.union
C.lookup
D.join
AnswerD

Join combines results from two searches on a common field and returns only matching rows.

Why this answer

The join command performs an inner join by default, returning only matches. Append adds rows without matching, union is not a Splunk command, and lookup enriches data.

7
MCQhard

A company has a Splunk environment with multiple indexers and a search head. They have a large CSV lookup file for user permissions that is used in many dashboards. Recently, users have reported that dashboards are timing out or slow. The lookup file is about 500 MB and is stored in $SPLUNK_HOME/etc/apps/app_name/lookups/. The lookup is defined as an automatic lookup in props.conf for the source type 'user_activity'. The dashboards use the lookup to enrich events and then perform aggregations. The administrator checks the search logs and sees that searches using the lookup are taking a long time, and some are failing with 'Search head timeout'. The lookup file is updated daily by a script that replaces the file. Which course of action would best improve performance without sacrificing data enrichment?

A.Split the lookup into multiple smaller files and use multiple lookups
B.Remove the automatic lookup and use the lookup command only in the dashboards
C.Convert the CSV lookup to a KV Store lookup with the same data
D.Increase the search head timeout setting
AnswerC

KV Store lookups are faster for large datasets and can be used with automatic lookups, improving performance.

Why this answer

Converting the CSV lookup to a KV Store lookup provides better performance for large lookups. KV Store lookups are indexed and more efficient for large datasets, and they support automatic lookups. Simply using the lookup command in dashboards would not address the size issue, splitting into multiple files adds complexity, and increasing timeout only masks the problem.

8
Drag & Dropmedium

Arrange the steps to create a scheduled report in Splunk in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Scheduled reports require saving a search as a report, then configuring its schedule and time range.

9
MCQeasy

Which of the following is a recommended practice when creating a lookup table file?

A.Place the file in the global lookups directory.
B.Use mixed case field names.
C.Include a header row with field names that contain no spaces.
D.Use tab-separated values.
AnswerC

Header rows are required, and avoiding spaces prevents errors.

Why this answer

Option D is correct. Using field names with no spaces or special characters avoids parsing issues. Option A is not recommended because mixed case can cause case-sensitivity problems.

Option B, tab-separated, is not standard; CSV with header is preferred. Option C, global lookups directory, is not best practice; it should be in the app's lookups directory.

10
MCQeasy

A lookup configured with WILDCARD match_type for pattern '10.*.25' is not matching some events. Which of the following event values would NOT be matched by this lookup?

A.10.1.2.25
B.10.1.25.1
C.10.1.25
D.10.2.25
E.10.10.25
AnswerB

Does not match because it does not end with '.25'.

Why this answer

Option E is correct because the pattern '10.*.25' matches any string that starts with '10.' and ends with '.25'. Option E ends with '.1', so it does not match. Options A, B, C, and D all match because they start with '10.' and end with '.25' (D has additional segments but the wildcard matches them).

11
MCQhard

What action can the administrator take to resolve this warning?

A.Increase the max_mem_usage_mb setting in limits.conf
B.Split the lookup into multiple smaller files
C.Convert the lookup to a KV Store lookup
D.Increase max_match in the lookup definition
E.Use the lookup command with local=t
AnswerA

This directly raises the memory limit for lookups.

Why this answer

The error indicates the lookup file exceeds the maximum memory allocation. Increasing the max_mem_usage_mb setting in limits.conf allows loading larger files.

12
MCQeasy

The security operations center (SOC) team at a medium-sized enterprise uses Splunk to investigate potential threats. They maintain a CSV lookup file named 'threat_intel.csv' that contains a list of known malicious IP addresses along with a threat score. The lookup is configured in transforms.conf as: [threat_intel] filename = threat_intel.csv match_type = WILDCARD(ip) They frequently run the following search to enrich firewall events with threat scores: index=firewall sourcetype=firewall_logs | lookup threat_intel src_ip OUTPUT threat_score | where threat_score > 5 Recently, analysts noticed that some IP addresses known to be present in the lookup file are not being matched in search results. They have verified that the lookup file is correctly formatted and contains those IPs, and the transforms.conf has not been altered. They also confirmed that the events contain the field src_ip with the correct IP addresses. Which of the following is the most likely cause of the missing matches?

A.The IP addresses in the lookup file are stored in a different case (e.g., uppercase) than in the events (lowercase).
B.The search is limited to a time range that excludes events with those IP addresses.
C.The lookup file contains duplicate entries for some IPs, causing conflicts.
D.The lookup command requires the input_fields parameter to specify which field to use for matching.
AnswerA

Lookups are case-sensitive by default; mismatched case prevents matching. This is a common issue.

Why this answer

The most likely cause is that the IP addresses in the lookup file and the events have different cases (e.g., uppercase vs. lowercase). Splunk lookups are case-sensitive by default unless the match_type is set to ignore case. Since the match_type is WILDCARD (which is still case-sensitive), case differences will prevent matching.

Option B is correct.

13
Multi-Selecthard

Which THREE of the following are best practices when using lookups in Splunk?

Select 3 answers
A.Use the lookup command instead of inputlookup when possible to reduce memory usage
B.Use automatic lookups to enrich data at search time without manual commands
C.Store lookup tables in KV Store when the table has more than 1 million rows
D.Always use KV Store lookups for faster performance compared to CSV lookups
E.Keep lookup file sizes under 500 MB to avoid performance degradation
AnswersA, B, E

lookup command streams data efficiently.

Why this answer

Option A is correct because using the `lookup` command with the `local=t` argument (or when the lookup table is small enough to be loaded into memory) can reduce memory usage compared to `inputlookup`, which always loads the entire lookup file into memory. The `lookup` command can stream results and only loads necessary fields, making it more efficient for large datasets. This is a best practice to avoid out-of-memory errors in distributed search environments.

Exam trap

Splunk often tests the misconception that KV Store is always superior to CSV lookups, but the trap is that KV Store has higher latency for static data and is only recommended for dynamic, frequently updated lookups or when the table size exceeds CSV memory limits.

14
Multi-Selectmedium

Which TWO configurations are required to create a geospatial visualization of server locations?

Select 2 answers
A.A sourcetype that includes country codes.
B.An index that contains geographic data.
C.A mappings.json file in the app directory.
D.A lookup table containing latitude and longitude fields.
E.The use of the geostats command.
AnswersC, D

mappings.json defines geographic shapes for choropleth or region maps.

Why this answer

Options A and D are correct. A lookup table with latitude and longitude fields provides the location data, and a mappings.json file defines the geographic shapes for the visualization. Options B, C, and E are not strictly required; they are optional or used for other purposes.

15
MCQhard

A team is designing a dashboard to monitor real-time server CPU utilization. They want to update every 10 seconds and use a gauge visualization. What is the best search mode to use for real-time performance?

A.Smart mode
B.Real-time mode
C.Fast mode
D.Verbose mode
AnswerC

Fast mode minimizes field extractions, improving real-time search performance.

Why this answer

Fast mode reduces computational overhead by limiting field extraction, which is ideal for real-time dashboards. Smart mode may do more work, Verbose mode returns all fields, and Real-time is not a search mode.

16
Multi-Selecthard

Which THREE of the following are features of the `timechart` command?

Select 3 answers
A.It automatically creates a time-based chart with a default span.
B.It can be used with the `by` clause to split into multiple series.
C.It can aggregate data using functions like count, sum, avg.
D.It can output results to a lookup file.
E.It requires the `span` option to be specified.
AnswersA, B, C

timechart bins events over time and produces a timechart visualization.

Why this answer

A, B, and C are correct. timechart supports aggregation functions (A), automatically creates a time-based chart with default span (B), and can split into multiple series with the `by` clause (C). D is incorrect because `span` is optional. E is incorrect because timechart does not output to a lookup file.

17
MCQhard

Refer to the exhibit. What is the most likely cause of this error?

A.The lookup definition [geo_lookup] does not exist in transforms.conf
B.The lookup file geo.csv is not present in the lookups directory
C.The field src_ip is misspelled in the lookup table
D.The user does not have read permission on the lookup table
AnswerA

The 'inputlookup' command requires a valid lookup definition; absence causes this exact error.

Why this answer

Option D is correct because the error 'Could not find lookup table' indicates the lookup definition (transforms.conf stanza) is missing or incorrect. Option A is incorrect because if the file were missing but definition existed, the error would mention 'file not found'. Option B is incorrect because permissions errors produce a different message.

Option C is incorrect because the error is about the table, not the field.

18
Multi-Selectmedium

A Splunk administrator is creating a dashboard to visualize real-time network traffic data. The dashboard must include a lookup to enrich source IPs with location data. The lookup file contains 500,000 entries and is updated hourly. Which TWO optimization techniques should the administrator apply to ensure dashboard performance?

Select 2 answers
A.Use a KV store lookup instead of a CSV lookup.
B.Use the append command instead of lookup to add fields.
C.Set the lookup to batch_index_query=true in transforms.conf.
D.Use a subsearch to filter the lookup file before joining.
E.Set the lookup to use max_matches=1 to prevent multiple matches.
AnswersA, E

KV store supports indexing and concurrent access, improving performance for large lookups.

Why this answer

Option A is correct because KV Store lookups are optimized for large, frequently updated datasets (like 500,000 entries updated hourly) by storing data in-memory and supporting indexed lookups, which significantly reduces search-time overhead compared to CSV lookups that require file parsing and scanning. This makes KV Store ideal for real-time dashboards where low latency is critical.

Exam trap

Splunk often tests the misconception that `batch_index_query=true` applies to all lookup types, but it is specific to index lookups and not CSV or KV Store lookups, leading candidates to incorrectly select it for file-based lookups.

19
MCQhard

A dashboard uses a timechart to show CPU usage over 24 hours. The time range selector is set to 'Last 7 days'. The chart displays data only for the last 24 hours. Which visualization setting is MOST likely causing this?

A.The chart's 'Time range override' is set to 24 hours.
B.The 'Max rows' is set to 24.
C.The 'Span' is set to 1 hour.
D.The data source only retains 24 hours.
AnswerA

A time range override on the panel overrides the dashboard selector.

Why this answer

The 'Time range override' setting on a visualization explicitly overrides the dashboard's global time picker. When set to a fixed duration like 24 hours, the chart ignores the 'Last 7 days' selection and only displays data for that specific window. This explains why the chart shows only the last 24 hours despite the dashboard time range being 7 days.

Exam trap

Splunk often tests the distinction between 'Time range override' (which changes the time window) and 'Span' (which changes the bucket size), leading candidates to confuse a bucket interval setting with a time range restriction.

How to eliminate wrong answers

Option B is wrong because 'Max rows' limits the number of data points displayed (e.g., 24 rows), not the time window; it could still show 24 rows spanning 7 days if the span is large enough. Option C is wrong because 'Span' controls the bucket interval (e.g., 1-hour buckets) but does not restrict the overall time range; a 1-hour span over 7 days would produce 168 data points, not truncate to 24 hours. Option D is wrong because the question states the data source retains 24 hours, but the dashboard time range is set to 7 days; if the data source only had 24 hours, the chart would show nothing beyond that, but the issue is that the chart shows exactly 24 hours, not that data is missing—this points to a visualization override, not a data retention limit.

20
Multi-Selectmedium

Which TWO of the following statements about lookup tables in Splunk are true?

Select 2 answers
A.Lookups can only add new fields to events; they cannot replace existing field values.
B.External lookups can only retrieve data from CSV files.
C.KV Store lookups require defining a collection in collections.conf.
D.CSV lookups can be updated by replacing the CSV file without restarting Splunk.
E.Lookup files can only be stored in $SPLUNK_HOME/etc/system/lookups/.
AnswersC, D

KV Store lookups are backed by a collection that must be defined in collections.conf.

Why this answer

CSV lookups can be updated by replacing the file; Splunk automatically reloads them. KV Store lookups require a collection definition in collections.conf. The other options are false: lookup files can be stored in app directories, external lookups can connect to various data sources via scripts, and lookups can replace field values if configured with overwrite=true.

21
Multi-Selectmedium

Which TWO of the following are best practices when creating lookup table files?

Select 2 answers
A.Use header rows with spaces in field names for readability.
B.Ensure the lookup file is in CSV format with the .csv extension.
C.Enable automatic lookup refresh for frequently updated files.
D.Place the lookup file in the $SPLUNK_HOME/etc/apps/search/lookups directory.
E.Use full paths in the lookup definition.
AnswersB, D

CSV with header row is the standard and recommended format.

Why this answer

B and C are correct. Using CSV format with a header row is standard (B). Placing the file in the app's lookups directory ensures proper access (C).

A is wrong because spaces in field names cause issues. D is unnecessary (full paths are not recommended). E is not a best practice for file creation; automatic refresh is configured separately.

22
MCQmedium

A user wants to create a trellis chart with multiple panels, each showing data for a different department. What attribute should be used to split the visualization?

A.Overlay
B.Split by
C.Drilldown
D.Color
AnswerB

Split by creates separate panels for each value of the field.

Why this answer

In trellis charts, the 'Split by' attribute divides the visualization into multiple panels based on a field value. Overlay, color, and drilldown are not used for splitting.

23
MCQeasy

Which visualization type is best for comparing the proportion of each error type to the total errors over time?

A.Pie chart (with multiple series)
B.Column chart
C.Line chart
D.Area chart
AnswerD

Stacked area chart effectively shows proportion over time.

Why this answer

Option D is correct because an area chart (especially stacked) shows proportions over time. Option A (column) can be used but area is more common for proportion over time. Option B (line) does not show proportion.

Option C (pie) is not time-based.

24
Multi-Selectmedium

Which TWO statements about lookups in Splunk are correct? (Choose two.)

Select 2 answers
A.The lookup command can be used to add fields from a lookup table to search results
B.External lookups can only be used with CSV files
C.KV store lookups support real-time updates during a search
D.CSV lookups can be updated in real-time by adding rows to the CSV file
E.Automatic lookups are configured in macros.conf
AnswersA, C

Correct; lookup command enriches events.

Why this answer

Option A is correct because the `lookup` command in Splunk is specifically designed to enrich search results by adding fields from a lookup table (such as CSV, KV Store, or external lookups) based on matching field values. This is a fundamental use case for lookups in Splunk, allowing you to augment raw event data with additional context from a static or dynamic source.

Exam trap

The trap here is that candidates often confuse the capabilities of CSV lookups (static, loaded at search start) with KV Store lookups (dynamic, real-time), and mistakenly assume that CSV files can be updated live or that automatic lookups are configured in macros.conf instead of transforms.conf.

25
MCQhard

An analyst observes that a lookup command with a large lookup file is causing the search to timeout. The lookup is used to extract additional fields based on a field value. What is the most effective immediate solution?

A.Change the match_type to WILDCARD to be more flexible.
B.Reduce the lookup file size by removing unused columns or rows.
C.Use the inputlookup command to load the entire table.
D.Increase the search timeout in limits.conf.
AnswerB

Smaller files process faster, and removing unnecessary data reduces lookup time.

Why this answer

Option C is correct because reducing the lookup file size (by removing unused columns or rows) directly reduces the amount of data processed, improving performance. Options A, B, D are less effective or exacerbate the issue.

26
Multi-Selecthard

Which two methods can reduce the resource consumption of a large CSV lookup in Splunk? (Choose 2)

Select 2 answers
A.Convert the CSV to a gzip file and reference it
B.Increase the max_match parameter
C.Use a time-based lookup to limit matches by time
D.Use the lookup command to only return required fields
E.Use a KV Store lookup with a smaller data set
AnswersD, E

Limiting output fields reduces data transfer and processing.

Why this answer

Option D is correct because using the `lookup` command with a field list (e.g., `| lookup mylookup.csv field1 OUTPUT field2 field3`) reduces resource consumption by only loading the specified output fields into memory, rather than the entire CSV lookup. This minimizes memory usage and I/O overhead, especially for large CSV files with many columns.

Exam trap

The trap here is that candidates often assume compressing the CSV file (Option A) would reduce resource consumption, but Splunk cannot read compressed CSV files natively, making this an invalid optimization.

27
MCQeasy

A security analyst wants to create a visualization that shows the count of failed login attempts per user over the last 7 days. Which visualization type is most appropriate?

A.Pie chart showing proportion of attempts per user
B.Line chart with time on x-axis and count on y-axis
C.Scatter chart showing correlation between user and time
D.Bar chart with users on x-axis and count on y-axis
AnswerB

Line charts effectively display changes over time.

Why this answer

A line chart is best for showing trends over time. A pie chart shows proportions at a single point, a bar chart can show comparisons but not trends, and a scatter chart is for correlations.

28
MCQmedium

A SOC manager wants to plot locations of security incidents on a map using latitude and longitude fields. Which visualization type should be used in a Splunk dashboard?

A.Cluster map
B.Choropleth map
C.Pie chart
D.Scatter chart
AnswerA

Cluster map visualizes point data on a map.

Why this answer

A cluster map is the correct choice because it is specifically designed to plot individual geographic coordinates (latitude/longitude) as points on a map, and it automatically groups nearby points into clusters to improve readability when many incidents are present. In Splunk, the cluster map visualization uses the `geostats` command or directly ingests lat/lng fields to render markers, making it ideal for showing security incident locations without requiring predefined region boundaries.

Exam trap

Splunk often tests the distinction between cluster maps (point-based) and choropleth maps (region-based), leading candidates to mistakenly choose choropleth when they see 'map' and 'latitude/longitude' in the same question.

How to eliminate wrong answers

Option B (Choropleth map) is wrong because it requires a field that maps to predefined geographic regions (e.g., country, state, ZIP code) and shades entire areas based on aggregated data, not individual latitude/longitude points. Option C (Pie chart) is wrong because it is a categorical chart used to show proportions of a whole, not spatial data. Option D (Scatter chart) is wrong because it plots numeric X/Y coordinates on a Cartesian plane, not geographic latitude/longitude on a map projection, and lacks map tile layers or clustering behavior.

29
Multi-Selecthard

Refer to the exhibit. An analyst runs a search over access_combined events and notices that some events are not getting the region_name and region_code fields. Which TWO changes could resolve this issue? (Choose two.)

Select 2 answers
A.Increase max_matches to a higher value
B.Check whether the field used for the lookup (clientip) is correctly extracted in the events
C.Remove the LOOKUP- stanza and use the lookup command in each search
D.Verify that the lookup file regions.csv contains matching values for all clientip values in the events
E.Set default_match to the desired default values for all fields
AnswersB, D

If clientip field is not extracted, lookup cannot match.

Why this answer

Option B is correct because if the `clientip` field is not properly extracted from the events, the lookup against `regions.csv` will fail to match, resulting in missing `region_name` and `region_code` fields. The lookup command or LOOKUP- stanza relies on a correctly extracted field to perform the key-value match; without it, no enrichment occurs.

Exam trap

Splunk often tests the distinction between lookup configuration issues (missing key field or missing CSV data) versus lookup performance settings (like `max_matches`), leading candidates to incorrectly choose options that adjust lookup behavior rather than fixing the data or extraction problem.

30
MCQhard

A lookup table must be updated multiple times per minute from an external API. Which lookup method provides the best performance for search-time enrichment?

A.CSV file lookup updated by a scheduled script
B.Index-time lookup using a transformation that queries the API during indexing
C.Scripted lookup that calls the API on each search
D.KV Store lookup updated via REST API
AnswerD

KV Store supports rapid updates and efficient indexed lookups at search time.

Why this answer

Option D is correct because KV Store lookups can be updated via REST API calls without reindexing and provide fast search-time lookups. Option A is incorrect because file lookups require rewriting the file and reloading. Option B is incorrect because index-time lookups require reindexing.

Option C is incorrect because scripted lookups call the API on every search, causing severe performance issues.

31
MCQmedium

An analyst creates a timechart to display the average CPU usage over time for multiple hosts. The chart shows a single line representing the overall average instead of separate lines per host. What is the most likely cause?

A.The search uses 'timechart avg(cpu) by host' but the host field is null.
B.The search uses 'timechart span=1h avg(cpu)' without splitting.
C.The visualization type is set to 'Column' instead of 'Line'.
D.The search uses 'timechart avg(cpu) over date' without a by clause.
AnswerB

Without a 'by' clause, timechart aggregates all events into one series.

Why this answer

Option C is correct because the timechart command without a 'by' clause produces a single series showing the overall average. Options A, B, and D would produce different issues but not the described symptom.

32
Multi-Selecthard

Which THREE are best practices for creating lookups in Splunk?

Select 3 answers
A.Use case-insensitive matching by default for user-facing lookups.
B.Use wildcard matching in lookups for better performance.
C.Use a time-based lookup for static reference data.
D.Define lookups in a lookup definition (transforms.conf).
E.Store lookup files in the lookups directory of the app.
AnswersA, D, E

Reduces user errors.

Why this answer

Option A is correct because using case-insensitive matching by default in user-facing lookups ensures that users do not need to worry about the case of the lookup key, which improves usability and reduces errors. In Splunk, this is configured via the `LOOKUP` command or in transforms.conf with the `case_sensitive_match = false` setting, which is the default behavior for most lookup types. This best practice avoids confusion when users query data with varying case formats, such as user names or hostnames.

Exam trap

The trap here is that candidates often confuse performance optimization with convenience, mistakenly thinking wildcard matching is a best practice, when in reality it is a performance anti-pattern that should be avoided in favor of exact or CIDR-based matching.

33
Multi-Selectmedium

Which TWO of the following are valid methods to create a lookup table in Splunk?

Select 2 answers
A.Use the eval command to create a lookup definition
B.Use the stats command to aggregate data into a lookup
C.Upload a CSV file through the Splunk Web interface
D.Use the outputlookup command in a search
E.Use the inputlookup command in a search
AnswersC, D

This creates a file-based lookup table.

Why this answer

Option C is correct because Splunk Web provides a direct interface to upload a CSV file and define it as a lookup table, automatically creating the lookup definition and file. Option D is correct because the `outputlookup` command in a search writes search results to a CSV file in the lookups directory, effectively creating a lookup table from dynamic data.

Exam trap

The trap here is that candidates confuse commands that *use* lookups (like `inputlookup`) with commands that *create* lookups, or assume that aggregation commands like `stats` inherently produce a lookup file.

34
MCQhard

A Splunk admin notices that a time-based lookup (defined in transforms.conf with time_range=TRUE) is not returning correct results for events outside the lookup's time boundaries. The lookup file contains rows with a valid time range. What is the most likely cause?

A.The lookup is defined as an automatic lookup and runs at index time
B.The lookup table has max_matches set to 1, limiting matches
C.The lookup file does not contain a time field
D.The event time is outside the time range defined in the lookup
AnswerD

Time-based lookups only match events whose _time falls within the row's time range.

Why this answer

When a time-based lookup is configured with time_range=TRUE in transforms.conf, Splunk restricts lookup matches to events whose timestamps fall within the time range specified in the lookup file. If an event's timestamp is outside that range, the lookup will not return any results, even if other fields match. This is the most likely cause because the question explicitly states that events are outside the lookup's time boundaries.

Exam trap

The trap here is that candidates may think the lookup file is missing a time field (Option C) when the question explicitly states it contains valid time ranges, or they may confuse time-based lookup behavior with other lookup types that do not enforce time boundaries.

How to eliminate wrong answers

Option A is wrong because automatic lookups run at search time, not index time; index-time lookups are configured with `lookup_index` and are not time-based. Option B is wrong because `max_matches=1` limits the number of results per event but does not prevent matches for events outside the time range; it would still return a match if the time range condition is satisfied. Option C is wrong because the lookup file must contain a time field for time-based lookups to work; the question states the lookup file contains rows with a valid time range, so a time field is present.

35
Multi-Selectmedium

Which three considerations are important when creating a visualization for a dashboard that will be displayed on a large monitor? (Choose 3)

Select 3 answers
A.Use small font sizes to fit more information
B.Ensure the chart type is appropriate for the data
C.Use high contrast colors
D.Use drill-down actions for detailed views
E.Minimize the number of data points
AnswersB, C, D

Appropriate chart type is always essential.

Why this answer

High contrast improves readability, appropriate chart type is fundamental, and drill-down actions provide interactive details. Small fonts and minimizing data points are detrimental.

36
MCQeasy

What is the type of visualization produced?

A.A bar chart.
B.A pie chart.
C.A scatter chart.
D.A line chart.
AnswerB

The `pie` command creates a pie chart.

Why this answer

Option D is correct. The `pie` command generates a pie chart from the statistical results. Option A (bar chart) is produced by `chart`, not `pie`.

Option B (scatter) and C (line) are not applicable.

37
MCQmedium

A user creates a lookup definition for a CSV file containing user roles. The lookup is used in a search: `| lookup user_roles username OUTPUT role`. The search returns no additional field. The lookup file has columns: 'username', 'role', 'department'. What is the MOST likely issue?

A.The username field in the search is not extracted.
B.The lookup file is not in the lookups directory.
C.The lookup definition uses a different filename than the CSV.
D.The 'role' field is misspelled in the search.
AnswerC

If the definition points to a different file, no matches occur.

Why this answer

Option C is correct because the lookup definition must reference the exact filename of the CSV file. If the definition points to a different filename than the actual CSV, the lookup will fail to load the file, and no fields will be returned. The search syntax is otherwise correct, so the issue lies in the mismatch between the definition and the file.

Exam trap

Splunk often tests the distinction between a lookup definition that exists but points to the wrong file versus a missing file or a field extraction issue, so candidates mistakenly choose Option B (missing file) or Option A (field not extracted) instead of recognizing the filename mismatch.

How to eliminate wrong answers

Option A is wrong because the search uses the username field directly in the lookup command, and if it were not extracted, the lookup would not match any rows but would still attempt to run; the issue is that no additional field is returned at all, not that the lookup fails to match. Option B is wrong because if the file were not in the lookups directory, Splunk would log an error and the lookup would not run, but the question states the lookup is used and returns no additional field, implying the lookup definition exists but the file is not loaded correctly. Option D is wrong because the 'role' field is correctly spelled in the search and matches the CSV column; a misspelling would cause the OUTPUT clause to fail silently or return an empty field, but the core issue is that the lookup definition does not point to the correct file.

38
MCQhard

A large e-commerce company uses Splunk to monitor transactions. They have a CSV lookup file named 'customer_lookup.csv' containing 5 million rows of customer data (customer_id, name, address, tier). The lookup is used in a search that runs every hour to generate a report of sales by customer tier: index=transactions sourcetype=transaction_logs | lookup customer_lookup customer_id OUTPUT name, address, tier | timechart count by tier The search often times out or takes too long to complete, impacting operational dashboards. The team is considering optimization strategies. The lookup file is updated daily and stored in a custom app directory. The Splunk environment is distributed with a single search head and multiple indexers. Which of the following recommendations would most effectively improve the search performance?

A.Use a subsearch to first find matching customer IDs and then join with the lookup.
B.Convert the CSV lookup to a KV Store lookup by defining a collection and populating it from the CSV.
C.Use the `timechart` command with `partial=true` to allow the search to return intermediate results.
D.Remove the OUTPUT fields name and address from the lookup, keeping only the tier field.
AnswerB

KV Store lookups provide faster, indexed lookups for large datasets, reducing search time significantly.

Why this answer

While all options could offer some improvement, using a KV Store lookup is the most effective for large lookups. KV Store lookups are designed for high-performance key-value lookups and scale better than CSV lookups for millions of rows. This reduces the time spent matching events against the lookup.

Option A is correct.

39
MCQmedium

A Splunk administrator is troubleshooting a slow dashboard that uses a timechart with a large dataset. Which of the following is a best practice to improve performance?

A.Increase the number of concurrent searches
B.Use the eval command to add fields
C.Use data model acceleration
D.Increase the search bucket count
AnswerC

Data model acceleration speeds up searches on data models significantly.

Why this answer

Data model acceleration pre-computes data for faster searches. Increasing bucket count, using eval, or increasing concurrent searches do not directly improve performance and may worsen it.

40
MCQhard

An organization uses Splunk to monitor network traffic. They have a CIDR lookup file that maps IP ranges to departments. When they run a search using `| lookup cidr_lookup IP OUTPUT department`, some IP addresses do not return a department even though the IPs are within the defined ranges. What is the most likely issue?

A.The lookup definition is not configured as a CIDR type
B.The IP addresses in the events are in lowercase
C.The lookup file is not in CSV format
D.The lookup file is compressed and not being read correctly
AnswerA

CIDR lookups must be defined with type=cidr in transforms.conf.

Why this answer

The most likely issue is that the lookup definition is not configured as a CIDR type. In Splunk, a standard lookup performs exact string matching, so it will not correctly match an IP address against a range defined in a CIDR notation (e.g., 10.0.0.0/24). To enable range-based matching, the lookup definition must be explicitly set to 'CIDR' type in transforms.conf, which allows Splunk to evaluate whether the IP falls within the specified subnet.

Without this configuration, the lookup will fail to return a department for IPs that are within the defined ranges.

Exam trap

The trap here is that candidates often assume a lookup file with CIDR ranges will automatically work for IP matching, but Splunk requires an explicit configuration change to enable CIDR-based matching instead of exact string matching.

How to eliminate wrong answers

Option B is wrong because IP addresses in Splunk events are case-insensitive strings, and CIDR lookups treat them as text; lowercase does not affect matching. Option C is wrong because Splunk supports lookup files in CSV, KV store, and other formats, and a CIDR lookup file can be in CSV format as long as the definition is correctly configured. Option D is wrong because Splunk can read compressed lookup files (e.g., .csv.gz) without issue, and compression does not prevent CIDR matching if the definition is properly set.

41
MCQhard

A lookup table file contains 10GB of data. When performing a lookup using the lookup command, search performance is extremely slow. Which approach will most effectively improve performance without losing functionality?

A.Split the lookup into multiple smaller files and use a chain of lookups.
B.Use the inputlookup command to load the entire table into memory.
C.Set the max_memtable_bytes in limits.conf to increase memory.
D.Create a time-based lookup with limited time range.
E.Convert the lookup to a KV store lookup.
AnswerE

KV store lookups are optimized for large datasets and provide faster lookups compared to file-based lookups.

Why this answer

Option A is correct because converting to a KV store lookup uses a more efficient storage and retrieval mechanism, ideal for large lookup tables. Options B, C, D, and E are less effective or reduce functionality.

42
MCQmedium

Refer to the exhibit. What happens when a user clicks on a status value in the table?

A.Nothing happens; the token is not used
B.Both the table and chart update
C.The table filters to show only events with that status
D.The chart updates to show methods for that status
AnswerD

The chart search uses $selected_status$ and refreshes when the token changes.

Why this answer

Option C is correct because the token is set and the chart panel relies on it (depends="$selected_status$"), so the chart updates to show methods for that status. The table does not change because it has no dependency on the token. Option A is incorrect because the table remains unchanged.

Option B is incorrect because only the chart updates. Option D is incorrect because the token update triggers a search refresh.

43
Multi-Selecteasy

Which THREE steps are necessary to create a file-based lookup?

Select 3 answers
A.Upload the lookup file to the correct directory.
B.Define a lookup definition in transforms.conf.
C.Create a lookup definition in props.conf.
D.Define an automatic lookup in props.conf.
E.Restart Splunk.
AnswersA, B, E

The file must be placed in the app's lookups directory (e.g., $SPLUNK_HOME/etc/apps/search/lookups).

Why this answer

A, B, and D are necessary. Upload the file to the correct lookups directory (A), define a lookup definition in transforms.conf (B), and restart Splunk to apply changes (D). C is not required; props.conf is for field extractions, not lookup definitions.

E is optional only if you want automatic lookup.

44
MCQhard

Refer to the exhibit. The lookup 'lookup_user_info' is used in a search: `| lookup lookup_user_info user_id OUTPUT department`. Users report that many events show 'UNKNOWN' as department even though the user_id exists in the CSV. What is the most likely cause?

A.The lookup file is not distributed to all indexers.
B.The field name in the CSV header is 'User_ID' (capital U), while the event field is 'user_id' (lowercase). Splunk field matching is case-sensitive.
C.The match_type is not specified, defaulting to EXACT, but the CSV contains case variations.
D.The max_matches should be set to 0.
E.The lookup definition is missing the default_match setting, which should be set to 'no_match'.
AnswerB

Splunk field names are case-sensitive; the mismatch causes no match, returning the default 'UNKNOWN'.

Why this answer

Option B is correct because Splunk lookups are case-sensitive when matching field values. The exhibit shows the CSV header uses 'User_ID' (capital U), while the search references 'user_id' (lowercase). Since the lookup field name in the definition must exactly match the event field name, the mismatch causes the lookup to fail, returning 'UNKNOWN' for all events even when the user_id exists in the CSV.

Exam trap

The trap here is that candidates often assume Splunk field matching is case-insensitive, but Splunk treats field names in lookups as case-sensitive, leading to silent failures when the CSV header case does not match the event field case.

How to eliminate wrong answers

Option A is wrong because the lookup file is used in a search that runs on the search head; it does not need to be distributed to indexers unless it is used in an index-time lookup or a distributed lookup scenario, which is not indicated. Option C is wrong because the default match_type is EXACT, but the issue is a field name mismatch (case sensitivity of the field name itself), not case variations in the data values. Option D is wrong because max_matches controls how many matching rows to return per event; setting it to 0 would return no matches, but the core problem is that no match is found due to field name mismatch, not the number of matches.

Option E is wrong because the default_match setting controls what value to output when no match is found; while it could be set to 'no_match', the root cause is the field name mismatch, not the absence of this setting.

45
Multi-Selecthard

A security analyst is using a lookup table to enrich IP addresses with threat intelligence. Which THREE statements about lookups are true?

Select 3 answers
A.Lookups can be used to add fields from an external source
B.Lookups can only be used with exact match
C.Lookups require the data to be indexed in Splunk
D.A lookup can be configured as automatic in props.conf
E.Lookups can be based on CSV files or KV store
AnswersA, D, E

That is the primary purpose of lookups: enrichment.

Why this answer

Lookups can be automatic via props.conf, can be based on CSV or KV Store, and are used to add fields from an external source. They are not limited to exact match (range lookups exist) and do not require data to be indexed in Splunk.

46
Multi-Selectmedium

Which TWO settings are required in a transforms.conf stanza for a file-based lookup to work? (Select two.)

Select 2 answers
A.max_matches
B.match_type
C.case_sensitive_match
D.filename
E.default_match
AnswersB, D

Required to define the matching algorithm (e.g., exact, CIDR).

Why this answer

Options A and C are correct because filename specifies the lookup file, and match_type specifies how to compare the source field (e.g., exact, CIDR). Options B, D, and E are optional: max_matches limits matches, default_match provides a default value, case_sensitive_match is an advanced option.

47
MCQeasy

An analyst runs this search and gets no results. The lookup file server_list.csv exists and contains data. What is the most likely issue?

A.The lookup file is not in the correct lookup directory.
B.The field names in the CSV do not match the search fields.
C.The search should include an index specification.
D.The search should use 'lookup' instead of 'inputlookup'.
AnswerB

If the CSV has different field names, the search conditions won't match, resulting in zero results.

Why this answer

Option C is correct because the field names in the CSV must match the search fields (status, hostname, ip_address). If the CSV uses different field names, no results will be returned. Options A, B, and D are less likely or incorrect.

48
MCQhard

An analyst runs this search and gets a chart with only the top 5 hosts per time bucket, but the total count per bucket is much higher than the displayed counts. What is the issue?

A.The chart is missing a 'useother=t' option to aggregate the remainder into an 'Other' bucket.
B.The limit parameter is misused; it should be 'limit=0' to show all hosts.
C.The timechart command automatically uses 'other' for the remaining hosts.
D.The limit parameter applies to the entire search, not per bucket.
E.The limit parameter restricts the number of series per bucket, but not the overall count aggregation.
AnswerA

Adding useother=t groups remaining hosts into 'Other' to account for total count.

Why this answer

Option E is correct because without useother=t, the timechart drops all hosts beyond the top 5. Option A is misleading because the total count is not shown. Options B, C, and D are incorrect descriptions of the command behavior.

49
Multi-Selectmedium

An administrator is designing a dashboard with multiple panels that share a common time picker. Which THREE dashboard features can be used to synchronize time across panels?

Select 3 answers
A.Use the 'link time' option in dashboard editor
B.Use the $time_token$ variable in panel searches
C.Use a single time input with a token
D.Set each panel's time range independently
E.Use the 'earliest' and 'latest' fields with a shared token
AnswersB, C, E

Referencing the token ensures panels share the same time.

Why this answer

Using a single time input with a token, referencing the token in panel searches, and using earliest/latest fields with the token are standard methods. Setting each panel independently does not synchronize, and 'link time' is not a standard feature.

50
Multi-Selectmedium

A Splunk user wants to create a stacked bar chart showing the count of events by status (success, failure) over time. Which TWO configuration steps are necessary?

Select 2 answers
A.Use the timechart command with a split-by field
B.Use the eval command to create a new field
C.Use the chart command with a split-by field
D.Select the 'line' chart type
E.Set the stack mode to 'stacked' in visualization options
AnswersA, E

timechart count by status produces time-series data with separate series.

Why this answer

To create a stacked bar chart over time, you need to use timechart with a split-by field to get time series and then set the stack mode to stacked in visualization options. Chart command does not inherently produce time series, and eval is not needed. Line chart is not stacked bar.

51
MCQeasy

Which of the following is required to create a dynamic lookup that automatically updates from a CSV file?

A.Define the lookup in transforms.conf and props.conf
B.Use the lookup command in searches
C.Upload the CSV to the lookups folder only
D.Only define in transforms.conf
AnswerA

Both files are needed: transforms.conf defines the lookup, props.conf associates it with a source type for automatic application.

Why this answer

For an automatic lookup that updates when the file changes, you must define the lookup in both transforms.conf and props.conf. Simply defining in transforms.conf or uploading the file is insufficient without props.conf to enable the automatic lookup.

52
MCQeasy

A team wants to visualize sales data on a map. They have a lookup table containing city names and their latitude/longitude coordinates. Which visualization type should they use in Splunk to plot the sales amounts on a map?

A.Single value
B.Gauge
C.Choropleth map
D.Scatter plot
AnswerC

Choropleth maps color regions based on values.

Why this answer

C is correct because a choropleth map uses geographic boundaries (e.g., countries, states, or cities) and shades or colors them based on a numeric value, such as sales amounts. With a lookup table providing latitude/longitude coordinates, Splunk can geocode the city names and overlay the sales data on a map using the `geostats` command, which is designed for choropleth visualizations.

Exam trap

The trap here is that candidates often confuse a scatter plot (which can plot lat/lon as x/y coordinates) with a choropleth map, but Splunk's scatter plot does not support geographic boundary shading or the `geostats` command required for map-based aggregation.

How to eliminate wrong answers

Option A is wrong because a single value visualization displays one metric (e.g., total sales) as a large number or gauge, not a geographic map. Option B is wrong because a gauge shows a single numeric value within a range (e.g., a speedometer-style dial) and cannot plot multiple data points across locations. Option D is wrong because a scatter plot plots individual points on an x-y axis based on two numeric fields, not geographic coordinates; while it could theoretically use lat/lon as axes, it lacks the boundary-based shading and geographic context of a choropleth map.

53
MCQhard

A large e-commerce company has a Splunk environment ingesting web server logs from multiple data centers. The security team needs to visualize failed login attempts over time, grouped by geographic region. They have a lookup file geo_region.csv that maps IP addresses to regions. The lookup is defined in transforms.conf with max_matches=0 (all matches) and is used as an automatic lookup in props.conf for the sourcetype 'web_access'. The search returns events with multiple region values per IP (because max_matches=0). The team wants a single region per event for accurate counting. They also need to reduce the number of events processed by filtering only login failures (status=401). Which approach should be taken?

A.Use | where status=401 | dedup src_ip | timechart count by region
B.Modify the automatic lookup to use max_matches=1, and add | where status=401 to the search before the timechart
C.Use | where status=401 | mvexpand region | timechart count by region
D.Use | where status=401 | top limit=100 region
AnswerB

Filters early and ensures one region per event.

Why this answer

Option B is correct because modifying the automatic lookup to use max_matches=1 ensures that each event is assigned a single region, eliminating the need for deduplication or expansion. Adding the `| where status=401` filter before the timechart reduces the dataset to only failed login attempts, allowing accurate counting by region over time. This approach is efficient and directly addresses the requirement for a single region per event.

Exam trap

The trap here is that candidates may think `mvexpand` or `dedup` can fix the multivalue region issue, but they fail to realize that these commands either inflate counts or discard valid data, whereas adjusting the lookup configuration is the proper solution.

How to eliminate wrong answers

Option A is wrong because `dedup src_ip` removes duplicate source IPs but does not resolve the multiple region values per event; it may also incorrectly discard legitimate events from the same IP with different timestamps or regions. Option C is wrong because `mvexpand region` creates multiple events from a single event (one per region), which inflates the count of failed logins and produces inaccurate results. Option D is wrong because `top limit=100 region` only shows the top 100 regions by count, not a time-based visualization, and does not filter to a single region per event.

54
Multi-Selecteasy

Which THREE of the following are valid methods to create a lookup table in Splunk?

Select 3 answers
A.Use the REST API to upload a CSV file.
B.Define a lookup in props.conf with a filename.
C.Upload a CSV file via the Lookups menu in Settings.
D.Use the 'outputlookup' command in a search.
E.Use the 'inputlookup' command to create a new file.
AnswersA, C, D

The REST API allows programmatic upload of lookup files.

Why this answer

Options A, B, and E are correct. You can upload a CSV via the Settings menu, use the outputlookup command to create a lookup from search results, or use the REST API. Options C and D are incorrect because props.conf does not create lookups, and inputlookup reads but does not create.

55
MCQmedium

An admin wants to create a dashboard that shows the count of errors by sourcetype over the last 7 days, with the ability to click on a sourcetype to drill down to a detailed search. Which visualization and configuration supports this?

A.Use a line chart and set the 'drilldown' to 'search' in the search command.
B.Use a bar chart and set the 'drilldown' option to 'search' in the dashboard XML.
C.Use a pie chart and set the 'drilldown' option to 'search' in the dashboard XML.
D.Use a table and set the 'link' in search string.
AnswerB

Bar charts compare counts effectively and drilldown is configured in dashboard XML.

Why this answer

Option B is correct because a bar chart is suitable for comparing counts across sourcetypes and allows drilldown via dashboard XML. Option A also supports drilldown but pie charts are less effective for many categories. Options C and D are not optimal or incorrectly describe drilldown configuration.

56
MCQhard

An analyst needs to create a time-series chart showing the percentage of total HTTP status codes per day. Which approach is most efficient?

A.timechart count by status | eventstats sum(count) as total by _time | eval pct = round(count/total*100,2) | chart first(pct) over _time by status
B.chart count by status over _time | eval pct = count / sum(count) * 100
C.timechart count by status | addtotals | eval pct = count / total * 100
D.timechart count by status | append [timechart count] | eval pct = count / [| timechart count] * 100
AnswerA

This correctly computes percentages per time bucket and presents them in a time series.

Why this answer

Option A is correct because using timechart to get counts by status, then eventstats to compute total per day, and eval to calculate percentage, is efficient and clear. Option B is incorrect because using chart with a single stats command cannot compute percentages across groups per time bucket. Option C is incorrect because addtotals adds overall totals but does not compute per-day percentages.

Option D is incorrect because overcomplicates with subsearches.

57
MCQeasy

What is the purpose of an automatic lookup?

A.To automatically validate lookup field names.
B.To automatically update a lookup file when the CSV changes.
C.To automatically create a lookup table from search results.
D.To automatically apply a lookup to events based on a source type or index at search time.
AnswerD

Automatic lookups enrich events transparently when data is indexed or searched.

Why this answer

Option A is correct. An automatic lookup is configured in transforms.conf or props.conf to apply a lookup to events based on sourcetype or index at search time, enriching events without manual lookup command. Option B describes outputlookup.

Option C is not automatic; you need to restart or reload to pick up changes. Option D is not a feature of automatic lookups.

58
MCQmedium

An analyst uses the following search: `... | timechart span=1h count by status`. What is the purpose of the span argument?

A.It limits the number of status values displayed.
B.It groups events into 1-minute intervals.
C.It sets the time range of the chart.
D.It defines the time interval for each data point (1 hour).
AnswerD

span=1h means each data point aggregates events from a 1-hour window.

Why this answer

Option C is correct. The span argument defines the time interval for each data point in the timechart. Here, span=1h means each bucket represents one hour.

Option A is incorrect because it says 1-minute. Option B is misleading because the time range is set by the search time picker, not span. Option D is incorrect because the 'by' clause handles splitting, not span.

59
MCQeasy

A user has created a dashboard panel using a 'chart' command with 'datacount by host'. The chart shows counts per host, but the hosts appear in alphabetical order. The user wants to sort the chart by count descending, so that the host with the most events appears first. The search is: index=main sourcetype=access | chart count by host. The dashboard is built using Simple XML. Which approach should be used to achieve the desired sorting?

A.Use the 'top' command instead of 'chart' to automatically sort by count.
B.Use 'eventstats' to compute counts and then sort by count.
C.Add '| sort -count' after the chart command in the search.
D.Use the chart properties panel in the dashboard editor to set sorting by count descending.
AnswerC

Sort after chart reorders the results.

Why this answer

Option B is correct because adding | sort -count after chart sorts the results. Option A is wrong because chart properties do not include sorting by count. Option C is wrong because eventstats is unnecessary.

Option D is wrong because top command changes output format.

60
MCQhard

An analyst needs to create a visualization that shows the relationship between source IP and destination port in network traffic. Which visualization type is most appropriate?

A.Choropleth map
B.Sankey diagram
C.Single value
D.Column chart
AnswerB

Sankey diagrams effectively illustrate flows between two dimensions.

Why this answer

A Sankey diagram is designed to show flow relationships between sources and destinations. Choropleth maps are geographic, single values show one number, and column charts are for comparisons.

61
Multi-Selecteasy

Which TWO SPL commands can be used to create a time-based chart showing event counts over time? (Select two.)

Select 2 answers
A.eventstats
B.chart (with time span)
C.timechart
D.where
E.stats
AnswersB, C

chart can be used with an explicit span over _time to produce a similar result.

Why this answer

Options A and B are correct: timechart automatically creates a time-based chart, and chart with a span over _time can also create one. Options C, D, and E do not produce charts: stats returns a table, eventstats adds fields, where filters events.

62
MCQeasy

A dashboard developer wants to display the count of errors over the last 24 hours with a line chart. Which search command should be the final command before the visualization?

A.chart
B.trendline
C.stats
D.timechart
AnswerD

timechart produces a time-based chart by default.

Why this answer

timechart automatically creates a time-based chart suitable for line chart visualization without additional formatting.

63
MCQmedium

What is the MOST likely cause of this error?

A.The lookup is not configured to output all fields.
B.The lookup definition filename is incorrect.
C.The CSV file has a trailing space in the column header 'asset_type'.
D.The `where` command cannot be used after `inputlookup`.
AnswerC

Trailing spaces cause field name mismatch.

Why this answer

The error is most likely caused by a trailing space in the CSV column header 'asset_type'. When `inputlookup` reads a CSV file, it treats column headers as literal strings; a trailing space makes the field name 'asset_type ' (with a space) instead of 'asset_type'. This mismatch causes the `where` command to fail because it references 'asset_type' without the space, leading to a field-not-found error.

Exam trap

Splunk often tests the subtlety that CSV headers are parsed literally, including whitespace, and candidates mistakenly assume Splunk automatically trims or normalizes field names, leading them to overlook trailing spaces as the root cause.

How to eliminate wrong answers

Option A is wrong because a lookup not configured to output all fields would simply not return certain fields, but it would not cause a field-not-found error in the `where` command; the lookup would still work with the fields it does output. Option B is wrong because an incorrect lookup definition filename would cause a 'lookup table not found' error, not a field mismatch error in the `where` clause. Option D is wrong because the `where` command can absolutely be used after `inputlookup`; it is a standard pattern for filtering results from a lookup table.

64
Multi-Selectmedium

Which TWO are valid methods to join data from a CSV file in a Splunk search?

Select 2 answers
A.`| append myfile.csv`
B.`| join myfile.csv`
C.`| lookup myfile.csv`
D.`| csvlookup myfile.csv`
E.`| inputlookup myfile.csv`
AnswersC, E

`lookup` joins fields from a lookup file.

Why this answer

Option C is correct because the `| lookup` command can reference a CSV file defined as a lookup table in Splunk, allowing field-based enrichment of search results. This is a standard method for joining data from a CSV file within a search, provided the lookup is properly configured in transforms.conf and props.conf.

Exam trap

The trap here is that candidates often confuse `| lookup` with `| inputlookup`, not realizing that both are valid for CSV data but serve different purposes—`| lookup` for field-based enrichment and `| inputlookup` for loading the entire file as a dataset.

65
MCQmedium

You are a Splunk power user at a manufacturing company. You have created a timechart that shows machine temperature readings over time. The data is indexed with timestamps every minute, but the timechart shows gaps where no data exists because some machines may not report at all times. You want to fill the gaps with 0 values to avoid misleading visualizations. The current search is: index=manufacturing sourcetype=temperature | timechart span=1h avg(temp) by machine. Which modification to the timechart command will fill the gaps with 0?

A.timechart span=1h cont=t
B.timechart span=1h limit=0
C.timechart span=1h usenull=t
D.timechart span=1h usenull=f useother=f
AnswerC

usenull=t fills nulls with 0.

Why this answer

Option A is correct because usenull=t fills null values with 0. Option B is wrong because usenull=f leaves gaps. Option C is wrong because limit=0 does not fill nulls.

Option D is wrong because cont=t ensures continuous time but does not fill with 0.

66
Multi-Selecthard

Which THREE practices improve lookup performance in Splunk? (Select three.)

Select 3 answers
A.Use large CSV files configured as automatic lookups for always-current data
B.Use KV Store lookups for data that is updated frequently
C.Apply formatting options like 'format' command to reduce lookup size
D.Use index-time lookups for static reference data that rarely changes
E.Keep lookup files small and focused for fast search-time loading
AnswersB, D, E

KV Store provides fast indexed lookups and supports frequent updates without reindexing.

Why this answer

Options A, B, and C are correct: using index-time lookups avoids repeated lookups at search time (static data benefit); using small static lookups reduces memory overhead; using KV Store for frequently updated data provides efficient indexed lookups. Option D is incorrect because large CSVs in automatic lookups degrade performance. Option E is incorrect because formatting options do not impact performance.

67
MCQmedium

A dashboard panel uses a timechart to show error counts over time. Users report that the time range picker does not affect the panel. What is the most likely cause?

A.The dashboard is not shared.
B.The panel uses 'stats' instead of 'timechart'.
C.The index is not time-based.
D.The search uses a fixed earliest and latest time.
AnswerD

Fixed time overrides the time picker.

Why this answer

Option B is correct because if the search uses fixed earliest/latest times, the time picker has no effect. Option A is wrong because stats can still respect the time range. Option C is wrong because the index being non-time-based would prevent any time range from working, but the panel would show no data.

Option D is wrong because sharing doesn't affect time range behavior.

68
MCQmedium

An analyst uses the following search: `index=web status=500 | timechart count by method`. What does the timechart command do?

A.Calculates the total count per day for each method.
B.Bins events into 1-hour intervals by default.
C.Shows only the top 10 methods.
D.Splits the count by the 'method' field into separate series.
AnswerD

The 'by' clause creates a separate time series for each unique value of method.

Why this answer

Option B is correct. The `by` clause in timechart splits the count into separate series for each value of the 'method' field. Option A is not necessarily true—default span depends on time range.

Option C is false; there is no limit by default. Option D is incorrect because it does not calculate per day; it uses the time range of the search.

69
MCQeasy

A large e-commerce company uses Splunk to monitor its web application performance. The operations team has created a dashboard with a timechart showing the 95th percentile of page load times over the last 24 hours. Recently, the dashboard stopped showing data for the last hour. The Splunk administrator confirms that the index is receiving data and the sourcetype is correctly configured. The search string is: `index=web_app sourcetype=access_combined earliest=-24h@h latest=@h | timechart perc95(page_load_time) by host` The dashboard panel uses a base search and a post-process search. The base search is: `index=web_app sourcetype=access_combined earliest=-7d@d latest=@h` What is the most likely cause of the missing last hour of data?

A.The post-process search has a time range override that conflicts with the base search.
B.The base search uses a macro that is not defined in the app context.
C.The index is not being searched because the base search uses a wrong sourcetype.
D.The base search time range is set to latest=@h, which excludes data from the current partial hour.
AnswerD

@h snaps to the beginning of the hour, missing the last 45 minutes.

Why this answer

The base search uses `latest=@h`, which snaps the end time to the beginning of the current hour (e.g., 14:00:00), excluding any data from the current partial hour (e.g., 14:00:01 to 14:59:59). Since the dashboard panel relies on this base search, the post-process search inherits that time range, causing the last hour of data to be missing even though the index is actively receiving data.

Exam trap

Splunk often tests the subtle behavior of time modifiers like `@h` and `@d`, where candidates mistakenly believe the data is missing due to indexing or sourcetype issues rather than the time range snapping to the start of the current hour.

How to eliminate wrong answers

Option A is wrong because the post-process search does not have a time range override; it inherits the base search's time range, and no conflict is described. Option B is wrong because the base search does not use a macro; it is a literal search string. Option C is wrong because the base search correctly specifies `sourcetype=access_combined`, matching the panel's search, and the administrator confirmed the sourcetype is correctly configured.

70
Multi-Selectmedium

Which THREE factors should be considered when deciding between using a lookup table and a KV store for enriching data?

Select 3 answers
A.KV store collections can be used with the 'inputlookup' command.
B.KV store collections can be updated in real-time via REST API.
C.KV store collections can be used with the 'kv' command.
D.Lookup tables support time-based lookups.
E.Lookup tables are faster for large datasets.
AnswersB, C, D

KV store supports real-time updates.

Why this answer

Options A, C, and D are correct. A: KV store can be updated in real-time via REST. C: Lookup tables support time-based lookups.

D: KV store can be used with 'kv' command. B is false because KV store is faster for large datasets. E is false because 'inputlookup' is for file-based lookups.

71
MCQmedium

A team uses a lookup table to map employee IDs to department names. The lookup is defined in transforms.conf with max_matches=1. Some events have multiple employee IDs in the emp_id field (comma-separated). The analyst wants to see the department for each ID. Which approach should be used?

A.Use | makemv delim="," emp_id | lookup employee_lookup emp_id OUTPUT department
B.Use | eval department=match(emp_id, "(?i)" . lookup_table)
C.Use | eval emp_ids=split(emp_id, ",") | mvexpand emp_ids | lookup employee_lookup emp_id OUTPUT department
D.Use | inputlookup employee_lookup where emp_id IN (emp_id_field)
AnswerC

Correctly splits and expands each ID, then looks up department.

Why this answer

Option C is correct because it first splits the comma-separated emp_id field into a multivalue field using split(), then expands each value into its own event with mvexpand, and finally performs the lookup with max_matches=1 to retrieve the department for each individual ID. This ensures that the lookup processes each ID separately, even though the original field contained multiple values.

Exam trap

The trap here is that candidates often confuse makemv (which only creates a multivalue field) with mvexpand (which actually creates separate events), leading them to choose Option A and miss the need to expand before lookup.

How to eliminate wrong answers

Option A is wrong because makmew with delim=',' creates a multivalue field but does not expand it into separate events; with max_matches=1, the lookup would only match the first value and ignore the rest. Option B is wrong because match() is a string-matching function, not a lookup mechanism, and the syntax is invalid for performing a table lookup. Option D is wrong because inputlookup does not accept a dynamic field reference like emp_id_field; it requires a literal value or a subsearch, and it cannot be used inline with event data.

72
MCQmedium

A lookup table maps combinations of 'source_ip' and 'dest_port' to a 'policy' field. The lookup is defined in transforms.conf with a max_match of 1. Which lookup command syntax will correctly perform the lookup?

A.lookup policy_lookup source_ip dest_port
B.lookup policy_lookup (source_ip, dest_port) OUTPUT policy
C.lookup policy_lookup source_ip dest_port OUTPUT policy
D.lookup policy_lookup source_ip, dest_port OUTPUT policy
AnswerC

This syntax correctly maps event fields to lookup fields.

Why this answer

The lookup command takes a space-separated list of event fields to match against lookup fields in order.

73
MCQhard

A large CSV lookup file (over 10 million rows) is causing search performance degradation. Which solution best improves performance without sacrificing accuracy?

A.Increase the max_memory setting in transforms.conf
B.Convert to an index-time lookup with automatic re-indexing
C.Convert to a KV Store lookup and update the collection as needed
D.Reduce the CSV file to only the most common lookup keys
AnswerC

KV Store lookups are optimized for large, frequently changing data and provide efficient search-time lookup.

Why this answer

Option D is correct because KV Store lookups provide indexed lookups and can be updated without reindexing, improving performance for large, dynamic datasets. Option A is incorrect because converting to a smaller subset would lose data. Option B is incorrect because increasing memory allocation does not address the fundamental lookup efficiency.

Option C is incorrect because index-time lookups require reindexing and are not suitable for frequently changing data.

74
MCQmedium

A dashboard developer wants to color-code the bars in a column chart based on a severity field (critical=red, high=orange, medium=yellow, low=green). How can this be achieved?

A.Configure drilldown to change colors when clicked
B.Use the chart command with 'useColors=true' and specify a color palette or use Eval to create a color field
C.Use the 'overlay' option in the chart command
D.Add CSS styling to the Simple XML dashboard
AnswerB

The chart command supports mapping severity to colors via options like 'colorPalette' or by using a color field in the search.

Why this answer

Option C is correct because using the chart command's 'useColors' and 'colorPalette' options, or setting colors via eval, allows custom coloring. Option A is incorrect because CSS in Simple XML requires advanced customization and is not straightforward. Option B is incorrect because drilldown is for interaction, not color.

Option D is incorrect because the 'overlay' option is for overlaying another chart.

75
MCQhard

A lookup is not returning any results even though the search events contain the matching field. The lookup definition in transforms.conf includes 'default_match = false'. What is the most likely issue?

A.The lookup has a time restriction that excludes the events
B.The lookup is case-sensitive and the event fields have different case
C.The lookup field names do not match the event field names
D.The lookup command is missing the 'OUTPUT' clause
E.The lookup file is empty
AnswerB

Case mismatch is a common cause of lookup failure.

Why this answer

Lookups are case-sensitive by default; if event fields have different case than lookup fields, no match occurs. default_match=false causes no default value on mismatch.

Page 1 of 2 · 127 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Advanced Viz Lookups questions.