CCNA Advanced Viz Lookups Questions

52 of 127 questions · Page 2/2 · Advanced Viz Lookups topic · Answers revealed

76
MCQhard

During peak hours, a search that uses a KV Store lookup frequently times out. The search runs on daily data but the KV Store collection has millions of records. Which approach is most effective to reduce lookup time while maintaining data freshness?

A.Increase the KV Store collection's replication factor
B.Pre-compute the lookup results using a scheduled search and write to a CSV, then use the CSV lookup
C.Reduce the fields stored in the KV Store collection
D.Use the 'lookup' command with the 'local=t' option
AnswerB

This reduces the dataset size and improves lookup speed.

Why this answer

Pre-computing lookup results into a smaller CSV that is refreshed frequently can improve performance while keeping data up-to-date.

77
MCQmedium

A lookup definition includes the option 'batch_index_query=True'. What is the effect?

A.The lookup is populated from an index query when first used.
B.The lookup is batch-processed to reduce number of lookups.
C.The lookup is applied to all indexes at once.
D.The lookup is cached across all search heads.
AnswerA

This is the purpose of batch_index_query.

Why this answer

Option A is correct because batch_index_query=True means the lookup is populated from an index search when first used. Option B is wrong because it doesn't apply to all indexes. Option C is wrong because it doesn't batch-process lookups.

Option D is wrong because caching is separate.

78
MCQeasy

A dashboard shows a single-value visualization of total sales. The underlying search uses `| stats sum(sales)`. The dashboard refreshes every 5 minutes, but the value only updates when the page is manually reloaded. Which setting is MOST likely missing?

A.The 'Token delay' is too high.
B.The search is not scheduled or set to 'Auto' for the panel.
C.The time range picker is set to 'All time'.
D.The dashboard's 'Auto-refresh' interval is not set.
AnswerB

The panel's search must be set to run automatically to refresh data.

Why this answer

Option B is correct because the single-value visualization's search must be scheduled or set to 'Auto' to automatically re-execute on dashboard refresh. Without this setting, the search runs once when the dashboard loads and caches the result, so even with a 5-minute auto-refresh interval, the displayed value remains stale until the page is manually reloaded.

Exam trap

Splunk often tests the misconception that setting the dashboard's auto-refresh interval alone is sufficient to update panel values, when in fact each panel's search must also be configured to re-execute on refresh (via 'Auto' or a scheduled search).

How to eliminate wrong answers

Option A is wrong because 'Token delay' controls the debounce time for token changes, not the execution of the underlying search; a high token delay would affect how quickly a token-driven search runs after a user interaction, not the periodic update of a static search. Option C is wrong because setting the time range picker to 'All time' affects the time scope of the search, not whether the search re-executes on refresh; it would still return a static result if the search is not scheduled. Option D is wrong because the dashboard's 'Auto-refresh' interval (set in Dashboard Settings) triggers a page-level refresh, but if the panel's search is not scheduled or set to 'Auto', the refresh only reloads the cached result from the initial search, not a new computation.

79
MCQeasy

A security analyst wants to map IP addresses to hostnames using a CSV lookup file. Which command is correct to define a lookup that maps the IP field to hostname field, with the file named 'ip_host.csv'?

A.lookup ip_host.csv hostname OUTPUT ip
B.lookup ip_host.csv hostname as hostname ip as ip_output
C.inputlookup ip_host.csv
D.lookup ip_host.csv ip as ip_output hostname as hostname_output
AnswerD

Correct syntax for lookup with field mapping.

Why this answer

Option A is correct because the lookup command syntax is 'lookup <lookup-table> <lookup-field> [OUTPUT <output-field>]' and here 'ip as ip_output hostname as hostname_output' correctly maps input ip to output ip_output and hostname to hostname_output. Option B is wrong because inputlookup returns all rows, not a join. Option C is wrong because the order is reversed.

Option D is wrong because 'OUTPUT' without aliases is incorrect.

80
MCQeasy

A network engineer wants to add geographic location (city, country) to firewall logs based on source IP. Which lookup type is most appropriate?

A.KV Store lookup
B.Scripted lookup
C.Automatic lookup configured in props.conf
D.File-based lookup (CSV)
AnswerD

A CSV file with IP ranges and locations is straightforward and performs well for static reference data.

Why this answer

Option C is correct because a CSV lookup file containing IP-to-location mappings is simple and efficient for static geographic data. Option A is incorrect because automatic lookups are for search-time enrichment but require prior lookup definition. Option B is incorrect because KV Store is overkill for static data.

Option D is incorrect because scripted lookups are for complex external data sources.

81
Multi-Selecthard

Which TWO components must be configured to enable an automatic lookup that populates fields at index time?

Select 2 answers
A.transforms.conf to define the lookup table and the field mapping.
B.The lookup table file must be placed in the lookup directory of the app.
C.indexes.conf to enable lookup acceleration.
D.props.conf to specify the automatic lookup stanza for the sourcetype.
E.The lookup must be defined via the Lookups menu in Splunk Web only.
AnswersA, D

The lookup definition (filename, fields, match type) is in transforms.conf.

Why this answer

Options A and B are correct. transforms.conf defines the lookup table and field mapping, and props.conf specifies which sourcetype should use the lookup automatically. Options C, D, and E are not required configuration files for the automatic lookup to work.

82
Multi-Selecteasy

Which TWO statements about lookup tables are true?

Select 2 answers
A.Lookups can only be defined by administrators.
B.A lookup definition can include time-based expiration.
C.Lookups are case-sensitive by default.
D.Lookups can be defined from CSV files or KV store collections.
E.Lookups can only be used in the 'lookup' command.
AnswersB, D

Time-based lookups allow automatic refresh.

Why this answer

Options B and C are correct. B: Lookups can be defined from CSV files or KV store. C: Time-based expiration is a feature.

A is false because lookups can be used in multiple commands. D is false because they are case-insensitive by default. E is false because they can be defined by power users.

83
MCQhard

A Splunk admin notices that a scheduled search using inputlookup is returning inconsistent results. The lookup file is stored on the search head and is updated via a script every 15 minutes. What is the most likely cause of the inconsistency?

A.The search head is not configured as a lookup server
B.The lookup file contains duplicate entries with different timestamps
C.The lookup file is cached and not automatically refreshed
D.The lookup file exceeds the maximum file size
AnswerC

inputlookup caches the file; changes require a reload or restart.

Why this answer

The most likely cause is that the lookup file is cached by Splunk after the first read, and subsequent updates via the script do not automatically refresh the in-memory cache. By default, Splunk caches lookup files on the search head to improve performance, and changes to the file are not reflected until the cache expires or is manually cleared. This leads to inconsistent results when the scheduled search runs against a stale cached version.

Exam trap

Splunk often tests the misconception that file updates are immediately reflected in search results, when in reality Splunk's caching mechanism introduces a delay that can cause inconsistency unless the cache is explicitly refreshed.

How to eliminate wrong answers

Option A is wrong because the concept of a 'lookup server' applies to distributed environments where lookups are shared across search heads, but the issue here is local caching on a single search head, not server configuration. Option B is wrong because duplicate entries with different timestamps would cause consistent behavior (e.g., returning the first match) rather than inconsistency across runs; the problem is about stale data, not duplicate resolution. Option D is wrong because exceeding the maximum file size would cause the lookup to fail entirely or be truncated, not produce inconsistent results; the search would either error out or return partial data consistently.

84
MCQmedium

An analyst wants to create a visualization showing the average response time by hour over the past day, with each server in a separate line. Which command should they use?

A.`... | timechart span=1h avg(response_time) by server`
B.`... | timechart avg(response_time) by server`
C.`... | chart avg(response_time) by hour, server`
D.`... | stats avg(response_time) by hour, server`
AnswerA

Correctly uses timechart with 1-hour intervals and splits by server.

Why this answer

Option C is correct. It uses `timechart` with an explicit span of 1 hour and splits by server. Option A uses `chart` which is not time-based and would produce a non-time chart.

Option B omits span, which might default to auto but is less explicit. Option D uses `stats` which does not produce a time-based chart automatically.

85
Matchingmedium

Match each Splunk index time field to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The hostname or IP of the data source

The file, script, or input that generated the event

The type of data, determines parsing behavior

The name of the index where the event is stored

The timestamp of the event

Why these pairings

These fields are automatically added during indexing.

86
Multi-Selecthard

Which TWO features are available for customizing dashboards in Splunk's Simple XML?

Select 2 answers
A.Using HTML in a panel to embed custom JavaScript.
B.Using CSS to change the color of all panels.
C.Automatically refreshing panels using token 'refresh'.
D.Adding drilldown actions to tables and charts.
E.Creating multiple dashboard versions for different user roles.
AnswersC, D

The 'refresh' token triggers auto-refresh.

Why this answer

Options A and E are correct. A: Drilldown actions are available. E: Token 'refresh' can auto-refresh panels.

B is false because HTML cannot embed JavaScript. C is false because CSS changes are limited. D is false because versioning is not a built-in feature.

87
MCQhard

A team wants to create a custom visualization that requires JavaScript and CSS modifications. Which Splunk feature should be used?

A.Splunk Web Framework
B.Simple XML dashboard
C.Dashboard studio
D.Custom visualization framework
AnswerD

This framework supports custom JS/CSS visualizations.

Why this answer

The Custom Visualization Framework (option D) is the correct choice because it is the only Splunk feature that allows developers to create entirely new visualizations using JavaScript and CSS. This framework provides the necessary APIs and hooks to register custom visualization types that can then be used in dashboards, whereas the other options either restrict customization or do not support custom JavaScript/CSS modifications.

Exam trap

The trap here is that candidates often confuse the Custom Visualization Framework with Dashboard Studio or Simple XML, assuming that those tools support arbitrary JavaScript/CSS customization, when in fact they only allow configuration of existing components.

How to eliminate wrong answers

Option A is wrong because the Splunk Web Framework is a broader platform for building custom web applications and does not specifically provide a structured way to create custom visualizations with JavaScript and CSS for use within Splunk dashboards. Option B is wrong because Simple XML dashboards are declarative and do not support embedding custom JavaScript or CSS directly; they rely on predefined visualization types. Option C is wrong because Dashboard Studio is a modern, drag-and-drop interface that uses predefined visualization components and does not allow custom JavaScript/CSS modifications for creating new visualizations.

88
MCQhard

Refer to the exhibit. An administrator is configuring a CIDR match lookup for geo-IP. The lookup is not working. What is most likely the issue?

A.The max_matches setting should be 0
B.The filename should include the full path
C.The stanza name should be 'geo_ip' without brackets
D.The match_type should be 'match_type = cidr' without brackets
AnswerD

It should be a setting, not a stanza header.

Why this answer

In Splunk's transforms.conf, match_type is a setting, not a separate stanza. The bracket indicates a new stanza, which is incorrect. The correct syntax is 'match_type = cidr' under the [geo_ip] stanza.

89
MCQmedium

You are a Splunk power user working for a healthcare organization. You have created a visualization that shows patient wait times by department over the last 30 days. The chart uses a timechart command with a 'stacked' option. Recently, the chart started showing negative values for some departments, which is impossible because wait times cannot be negative. You have verified that the raw data is correct and contains only positive wait times. The search is: index=healthcare sourcetype=patient_wait | timechart span=1d avg(wait_time) by department. The chart is displayed as a stacked area chart. The negative values appear only for a few departments sporadically. You suspect the issue is related to how null values are handled. What could be causing the negative values?

A.The timechart command is using 'limit=0' which causes overcounting of series.
B.There is a counting error in the search due to overlapping time ranges from data indexing delays.
C.The use of 'other' category in stacked charts can cause negative values when there are many series.
D.The 'stacked' option is misinterpreting null values as negative.
AnswerD

Stacked charts can interpret nulls as negative for series with gaps.

Why this answer

Option C is correct because stacked area charts can misrepresent null values as negative when there are gaps in data. Option A is wrong because timechart limit=0 does not cause negatives. Option B is wrong because overlapping time ranges would affect counts, not produce negatives.

Option D is wrong because 'other' category does not cause negatives.

90
Matchingmedium

Match each Splunk role to its typical permission level.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full access to system configuration and all data

Can create and share knowledge objects, run searches

Can run searches and create personal knowledge objects

Allows deletion of search results and events

Allows access to Splunk REST endpoints

Why these pairings

Roles define what actions users can perform in Splunk.

91
MCQeasy

What is the MOST likely reason the search returns no results?

A.The user does not have permission to read the lookup.
B.The lookup definition is not configured.
C.The CSV file has no header row.
D.The `inputlookup` command expects the definition name, not the filename.
AnswerD

Use `| inputlookup usertable`.

Why this answer

The `inputlookup` command in Splunk expects the lookup definition name as its argument, not the filename of the CSV file. If a user specifies the filename (e.g., `| inputlookup myfile.csv`) instead of the lookup definition name (e.g., `| inputlookup my_lookup`), Splunk will not find the lookup and returns no results. This is a common mistake because the command syntax requires the logical name defined in the lookup table configuration, not the physical file path.

Exam trap

Splunk often tests the distinction between the `inputlookup` command (which requires the definition name) and the `lookup` command (which can accept either a definition name or a filename in certain contexts), leading candidates to incorrectly assume both commands accept filenames.

How to eliminate wrong answers

Option A is wrong because if the user lacked read permission, Splunk would typically return an error message about permissions, not silently return no results. Option B is wrong because if the lookup definition were not configured, the `inputlookup` command would fail with an error indicating the definition does not exist, rather than returning zero results. Option C is wrong because a missing header row in the CSV file would cause the lookup to load data with default field names (e.g., field1, field2) or produce a warning, but it would still return rows of data, not zero results.

92
MCQeasy

A search produces a table with many rows. Which visualization type is best suited to show the distribution of a single field's values?

A.Area chart
B.Pie chart
C.Scatter chart
D.Line chart
AnswerB

Pie charts show parts of a whole, ideal for distribution of a single field.

Why this answer

Option C is correct because a pie chart effectively shows proportional distribution of categorical data. Options A, B, and D are more suited for trends or relationships.

93
MCQhard

Which statement best describes the search result?

A.It returns an error because price is not a field before the lookup.
B.It returns the count of distinct product_ids that have a price > 100.
C.It returns the count of events where the price is greater than 100, grouped by product_name.
D.It returns the count of successful web events, but only for products with price > 100.
AnswerC

Correct: after lookup and where filter, stats count by product_name groups events.

Why this answer

Option A is correct. The search enriches events with product_name and price, filters for price > 100, then counts events by product_name. Option B is wrong because it counts events, not distinct product_ids.

Option C is wrong because price is added by the lookup. Option D is too broad; it doesn't specify the grouping.

94
MCQeasy

A company's security team uses Splunk to monitor firewall logs. They have a lookup file named 'threat_intel.csv' containing 10,000 IP addresses classified by threat level. The lookup is used in a dashboard that shows the number of blocked connections from high-threat IPs over the past 24 hours. Recently, the dashboard has become slow, taking over 30 seconds to load. The lookup file is updated every 15 minutes via a script that replaces the entire file. The search currently uses: `index=firewall | lookup threat_intel.csv src_ip OUTPUT threat_level | where threat_level="high" | stats count`. Which of the following is the MOST efficient way to improve dashboard performance?

A.Restrict the search to a smaller time range, such as the last hour.
B.Use the lookup with local=t to force it to run on the search head only.
C.Convert the lookup to a KV store collection with an index on src_ip.
D.Increase the lookup cache size in limits.conf.
AnswerC

KV store handles concurrent reads and writes efficiently, ideal for frequently updated lookups.

Why this answer

Option C is correct because converting the lookup to a KV Store collection with an index on `src_ip` allows Splunk to perform efficient key-value lookups without loading the entire 10,000-row CSV into memory on every search. The KV Store uses an indexed data structure, which dramatically reduces lookup time compared to a file-based lookup that must be fully scanned each time, especially when the file is replaced every 15 minutes and the search runs over a 24-hour window.

Exam trap

The trap here is that candidates often assume reducing the time range or caching will fix performance, but the real bottleneck is the file-based lookup's linear scan of 10,000 rows, which is only resolved by switching to an indexed KV Store collection.

How to eliminate wrong answers

Option A is wrong because reducing the time range to the last hour does not address the root cause of slow lookups; the performance bottleneck is the file-based lookup scanning 10,000 IPs, not the volume of events. Option B is wrong because using `local=t` forces the lookup to execute only on the search head, which does not improve performance—it may even worsen it by bypassing distributed lookup execution across indexers. Option D is wrong because increasing the lookup cache size in `limits.conf` only caches previously looked-up values within a single search; it does not help when the lookup file is replaced every 15 minutes, as the cache is invalidated on each file change, and the initial load still requires scanning the entire CSV.

95
MCQmedium

The search returns a timechart with multiple series but the series colors are all the same. What is the most likely reason?

A.The 'timechart' command cannot handle multiple series from a lookup
B.The number of distinct description values exceeds the default color palette
C.The lookup should be performed before the eval
D.The 'eval' command is misspelled (status=code instead of status_code?)
E.The lookup is not working correctly
AnswerB

When there are more than 10 series, colors repeat, making them indistinguishable.

Why this answer

If the number of distinct description values exceeds the default color palette (typically 10), colors will repeat. This is a common issue with many series.

96
MCQeasy

A Splunk administrator wants to create a static lookup table from a search result. Which approach is recommended?

A.Use the `outputlookup` command to save the search result as a CSV file.
B.Use `inputlookup` to write to a CSV file.
C.Use the `lookup` command to create the file.
D.Manually copy the results into a spreadsheet and upload as CSV.
AnswerA

outputlookup writes the result set to a lookup file in the specified directory.

Why this answer

Option A is correct. The outputlookup command is designed to save search results directly to a CSV file in the lookups directory. Option B is manual and error-prone.

Option C, inputlookup, reads a lookup file. Option D, lookup, applies a lookup but does not create a file.

97
MCQmedium

A search includes a lookup that is used for every event. The lookup file has 500,000 rows. The search is running slowly. Which change could improve performance?

A.Use the stats command instead of lookup
B.Convert the lookup to a KV Store lookup
C.Use the inputlookp command with append=t
D.Increase the max_match in the lookup definition
E.Use the lookup command with output fields limited to needed fields
AnswerE

Specifying only required fields reduces data processing overhead.

Why this answer

Limiting output fields reduces data transfer and can improve lookup performance. KV Store may help but requires extra setup.

98
MCQmedium

A security analyst needs to enrich authentication logs with employee department information stored in a CSV file called 'employees.csv'. The CSV has fields: 'emp_id', 'name', 'department'. The authentication logs contain a field 'user_id' that matches 'emp_id'. Which search correctly enriches the events with the department field?

A.`index=auth | lookup employees.csv user_id AS emp_id OUTPUT department`
B.`index=auth | lookup employees.csv emp_id AS user_id OUTPUT department`
C.`index=auth | lookup employees.csv user_id AS emp_id OUTPUT department, name`
D.`index=auth | inputlookup employees.csv where user_id=emp_id | table *`
AnswerB

Correct syntax: lookup field emp_id is matched to search field user_id, and department is output.

Why this answer

Option D is correct because it uses the correct lookup syntax: `lookup <lookup-table> <lookup-field> AS <search-field> OUTPUT <field>`. Here, `emp_id AS user_id` maps the lookup field emp_id to the search field user_id. Option A and B reverse the mapping, and option C uses inputlookup incorrectly which returns the lookup table contents rather than enriching events.

99
MCQeasy

A security analyst wants to visualize the count of login failures per hour, grouped by source IP. Which SPL command should they use?

A.timechart count by src_ip
B.stats count by _time, src_ip
C.chart count by src_ip over _time
D.eventstats count by src_ip
AnswerA

timechart creates a time-based chart with automatic bucketing and grouping by src_ip.

Why this answer

Option A is correct because timechart automatically bins events by time and can group by a field. Option B is incorrect because chart requires an explicit span to create time-based bins. Option C is incorrect because stats does not produce a time-based x-axis automatically.

Option D is incorrect because eventstats is for creating new fields, not visualization.

100
MCQhard

A lookup definition is correctly configured, but when used in a search, no results are returned. The lookup file exists and contains data. What is the most likely cause?

A.The lookup file has too many fields.
B.The lookup definition has the wrong case sensitivity setting.
C.The lookup file is in JSON format but the definition expects CSV.
D.The search time field extraction for the matching field is disabled.
AnswerB

If case_sensitive_match is set incorrectly (e.g., false when it should be true), mismatches occur.

Why this answer

Option B is correct because case sensitivity mismatch is a common issue: if the lookup definition expects exact case but the search field has different case, no match occurs. Option A is unlikely as too many fields do not prevent matching. Option C, disabling field extraction, would affect other parts but not lookup matching directly.

Option D, format mismatch, would cause an error, not silently return no results.

101
MCQhard

In a dashboard panel, a table shows event counts by source. The user wants to click on a sourcetype to drill down to a new search showing all events from that source. Which token-based drilldown approach is correct?

A.Use a custom JavaScript to navigate.
B.Set a drilldown action to 'form' and submit the token.
C.Set a drilldown action to 'link' with a URL that includes the sourcetype.
D.Set a drilldown action to 'search' with a search string containing $row.sourcetype$.
AnswerD

This correctly passes the clicked field value.

Why this answer

Option D is correct because using $row.sourcetype$ in a drilldown search string passes the clicked value. Option A is wrong because link URL is less dynamic. Option B is wrong because form submit requires form inputs.

Option C is wrong because JavaScript is not needed.

102
Multi-Selectmedium

A security analyst needs to correlate authentication events from multiple Windows domain controllers to identify failed logon attempts from a specific user account, and then enrich the results with the user's department and manager from an HR database. Which TWO Splunk features should the analyst use?

Select 2 answers
A.Time-based lookup
B.Data model acceleration
C.Subsearch
D.Lookup definition
E.Calculated field
AnswersB, D

Data models can normalize and accelerate searches across multiple sources.

Why this answer

Data model acceleration (B) is correct because it pre-computes and indexes authentication event data from multiple Windows domain controllers, enabling fast, efficient correlation of failed logon attempts for a specific user. Lookup definition (D) is correct because it allows the analyst to define a lookup that enriches the authentication events with the user's department and manager from an external HR database, mapping fields like username to the HR data.

Exam trap

The trap here is that candidates often confuse subsearch (C) with lookup definition (D) for enrichment, not realizing that subsearches are for dynamic filtering, not static field mapping from an external source, and that data model acceleration (B) is specifically designed for high-performance correlation across multiple data sources, not just a simple search optimization.

103
MCQmedium

An automatic lookup is configured in props.conf and transforms.conf, but the expected fields are not appearing in search results. Which is the first thing to verify?

A.Verify the transforms.conf definition for the lookup
B.Run a search using the lookup command manually to test
C.Verify that the source field is extracted at search time
D.Verify that the user has read permissions on the lookup table
AnswerA

Incorrect configuration in transforms.conf (e.g., wrong filename, source/dest fields) is the most common cause.

Why this answer

Option B is correct because checking the transforms.conf definition ensures the lookup table name, file path, and field mappings are correct. Option A is incorrect because permissions alone would cause a different error. Option C is incorrect because field extraction is not related to lookups.

Option D is incorrect because search-time manual usage is not needed if automatic lookups are configured.

104
MCQmedium

An admin configured an automatic lookup but events for mysourcetype are not being enriched. What is the most likely problem?

A.The lookup file is too large and memory limit is exceeded.
B.The match_type should be 'EXACT' instead of 'WILDCARD'.
C.The LOOKUP stanza in props.conf is missing the input field specification.
D.The lookup is defined in transforms.conf but not referenced in any search.
AnswerB

For direct field matching, EXACT is appropriate; WILDCARD is for pattern matching.

Why this answer

Option B is correct because the WILDCARD match_type requires the event value to contain wildcard characters or be matched glob-style; typical exact matches require EXACT match_type. Option C is possible but the syntax can omit INPUT if the field names match. Options A and D are less likely.

105
MCQeasy

An analyst runs a search with the command 'lookup region_lookup region_code OUTPUT region_name'. The events have a region_code field with values like 'us-east' and 'eu-west'. The lookup file contains 'US-EAST' and 'EU-WEST'. The lookup returns no results. What is the most likely cause?

A.The lookup file format is incorrect
B.The default_match setting prevents missing matches
C.The match_type is WILDCARD but no wildcards used
D.The case_sensitive_match is set to true
E.The max_match setting limits results
AnswerD

Case sensitivity causes mismatches between uppercase and lowercase values.

Why this answer

The lookup is case-sensitive ('Case_sensitive_match = true'), and the event fields have lowercase values while the lookup file has uppercase, causing no match.

106
MCQeasy

A dashboard developer wants to create a single-value visualization that shows the current server status from a lookup table. Which Splunk command should be used to retrieve the lookup data in a real-time context?

A.inputlookup
B.outputlookup
C.lookup
D.geostats
AnswerC

lookup can be used in real-time searches to enrich events.

Why this answer

Option C is correct because the `lookup` command retrieves field values from a lookup table and can be used in a real-time context to enrich events or display current status. Unlike `inputlookup`, which loads the entire lookup table as events, `lookup` works within the search pipeline, allowing it to match against live data and return the most recent lookup values for a single-value visualization.

Exam trap

The trap here is that candidates confuse `inputlookup` (which loads the entire table as events) with `lookup` (which enriches events in the pipeline), leading them to choose `inputlookup` for a real-time single-value display when it actually returns all rows as separate events, not a single aggregated value.

How to eliminate wrong answers

Option A is wrong because `inputlookup` loads the entire lookup table as search events, which is not suitable for real-time context and would require additional processing to extract a single value. Option B is wrong because `outputlookup` writes data to a lookup table, not retrieves it, making it irrelevant for displaying current server status. Option D is wrong because `geostats` is used for geospatial statistical aggregation, not for retrieving lookup data, and it does not operate on lookup tables.

107
MCQeasy

A company needs to enrich search results with additional fields from a CSV file. Which method should they use to define the lookup table so that it is available in all searches?

A.Define the lookup in props.conf with an automatic lookup stanza.
B.Use the inputlookup command in a search.
C.Define the lookup in transforms.conf with a filename and field mapping.
D.Use the lookup command with the file path.
E.Use the eval command with the lookup function directly in search.
AnswerC

transforms.conf is where lookup table definitions (filename, fields, match type) are configured, making the lookup available for use.

Why this answer

Option D is correct because the lookup table file and format must be defined in transforms.conf to be available for use with the lookup command or automatic lookups. Option A is incorrect; inputlookup reads a lookup but does not define it. Option B is incorrect; the lookup command uses an existing definition.

Option C is incorrect; props.conf is for automatic lookups, not for defining the lookup table itself. Option E is incorrect; the eval lookup function also requires a definition.

108
MCQmedium

In a dashboard, a bar chart shows sales by region. The user wants to click on a bar and have a table filter to show only that region's details. Which drilldown technique should be used?

A.Enable drilldown in the bar chart and set the search to automatically apply the clicked field
B.Configure a form input dropdown and set default value from drilldown
C.Set a token using $click.value$ in the drilldown and add a dependency on the token in the table search
D.Use a static filter with a predefined list of regions
AnswerC

Tokens capture the clicked value and can be used in dependent searches to filter results.

Why this answer

Option B is correct because using tokens with $click.value2$ correctly captures the clicked region and passes it to a dependent panel. Option A is incorrect because form inputs are not triggered by drilldown. Option C is incorrect because static filter would not be dynamic.

Option D is incorrect because drilldown without token setup does not pass the value to another panel.

109
MCQmedium

A security analyst creates a timechart of login failures by source IP. The chart shows expected spikes, but the top 5 IPs account for <10% of all failures. The analyst suspects a DDoS attack using spoofed IPs. Which visualization type would BEST highlight the distribution of failures across all IPs?

A.Pie chart
B.Treemap
C.Scatter plot
D.Stacked column chart
AnswerB

Treemaps effectively show proportions of many categories.

Why this answer

A treemap is the best choice because it uses nested rectangles to represent the proportional contribution of each source IP to the total login failures, making it easy to visually identify the distribution across all IPs, even when no single IP dominates. Unlike other chart types, a treemap can efficiently display hundreds of IPs without cluttering the view, which is critical when the top 5 IPs account for less than 10% of failures, indicating a highly distributed attack pattern.

Exam trap

Splunk often tests the misconception that a pie chart is always the best for showing proportions, but the trap here is that a pie chart fails when there are many small slices, making it impossible to discern the distribution of failures across all IPs in a highly distributed attack.

How to eliminate wrong answers

Option A is wrong because a pie chart becomes unreadable when there are many slices (e.g., hundreds of IPs), and it cannot effectively show the distribution of failures across all IPs when no single IP has a large share. Option C is wrong because a scatter plot is designed to show the relationship between two numerical variables (e.g., time vs. count), not the proportional distribution of a categorical variable like source IP. Option D is wrong because a stacked column chart is best for showing the composition of a whole over time, but it becomes cluttered and loses clarity when there are many categories (IPs) with small values, and it does not highlight the distribution across all IPs at a single point in time.

110
MCQmedium

A Splunk admin is tasked with creating a dashboard that shows the average response time per server over the last hour, updated every 60 seconds. The data comes from a sourcetype 'app_log' with fields: server, response_time. The admin wants to use a single search with a timechart and set the dashboard's time range picker to 'Last 60 minutes'. However, the chart shows only one data point (the average for the entire hour) instead of per-minute intervals. What is the most likely cause and solution?

A.The dashboard uses a summary index; switch to a base search
B.The search is not set to real-time; change to a real-time search
C.The dashboard time range picker is set to 'All time'; change to 'Last 60 minutes'
D.The timechart command does not have a span specified; add | timechart span=1m avg(response_time) by server
AnswerD

Specifying span=1m creates per-minute buckets.

Why this answer

The `timechart` command without an explicit `span` defaults to a single bucket for the entire search time range when the range is fixed (e.g., 'Last 60 minutes'). By adding `span=1m`, you force the command to create 1-minute buckets, producing a data point per minute. This is the most direct fix for the described behavior.

Exam trap

Splunk often tests the default behavior of `timechart` without a `span`, tricking candidates into thinking the issue is with the time range picker or search mode rather than the missing span parameter.

How to eliminate wrong answers

Option A is wrong because a summary index would not cause a single data point; summary indexes store pre-aggregated data, but the issue here is the lack of a span in the timechart, not the data source. Option B is wrong because a real-time search is not required; the dashboard already updates every 60 seconds via the refresh setting, and the time range 'Last 60 minutes' is a fixed window, not real-time. Option C is wrong because the question explicitly states the dashboard's time range picker is set to 'Last 60 minutes', so changing it to the same value would have no effect.

111
MCQhard

A large lookup file with 10 million rows is used in a search that joins with main index data. The search is slow. Which optimization should be applied first?

A.Use 'lookup local=true' to reduce time.
B.Add a filter on the lookup using a subsearch.
C.Convert the lookup to a KV store collection.
D.Use 'inputlookup' instead of 'lookup'.
AnswerC

KV store is optimized for large datasets and lookups.

Why this answer

Option C is correct because converting to KV store improves performance for large lookups. Option A is wrong because inputlookup loads all rows, making it slower. Option B is wrong because local=true does not help memory.

Option D is wrong because subsearch adds overhead.

112
MCQmedium

An analyst notices that a timechart command with 'by host' shows only 10 hosts even though there are 50 distinct hosts. What could be the reason?

A.The visualization is set to 'Pie' which only shows top 10.
B.The search is using 'join' to combine data.
C.The 'useother' parameter is set to false.
D.The 'limit' parameter is set to 10 by default.
AnswerD

timechart by default shows only the top 10 series unless limit is explicitly set higher or to 0.

Why this answer

Option A is correct because the default limit for timechart is 10, which restricts the number of series displayed. Options B, C, and D are not default behaviors or are unrelated.

113
MCQmedium

Refer to the exhibit. A user runs this search expecting to see the top 5 departments by count, but the results show all departments. What is the error?

A.The limit parameter in top should be written before the field name
B.The sort command should be placed before stats
C.The inputlookup should be used with a subsearch
D.The top command already calculates a count, so stats is unnecessary and can cause conflict
AnswerD

Using both may result in showing all departments because top may operate on the stats output incorrectly.

Why this answer

The top command already calculates a count and sorts, so using stats before top is redundant and can cause unexpected results. The correct approach is to use 'top limit=5 department' directly on the inputlookup without stats.

114
MCQhard

An admin creates a dashboard with a timechart panel that drills down to a search for that time range. The drilldown search works but does not include the time range. What is the likely cause?

A.The drilldown is set to 'search' without including tokens for time.
B.The timechart uses a fixed time range in the search string.
C.The dashboard's time input is disabled.
D.The drilldown is configured to use 'range' token but the panel's time range is not passed.
AnswerA

If the drilldown is a static search (no tokens), it does not inherit the time range from the dashboard panel.

Why this answer

Option B is correct because the drilldown search configuration must include tokens to pass the time range; if set to a static search, time range is not inherited. Options A, C, D are possible but less common or specific.

115
MCQhard

A team uses a lookup to enrich web logs with customer region. The lookup is file-based and updated daily. Some events are not being enriched even though the lookup file has matching keys. What could be the issue?

A.The lookup file exceeds the maximum size.
B.The lookup file is not sorted.
C.The lookup definition uses the wrong timestamp format.
D.The lookup file has leading or trailing spaces in key fields.
AnswerD

Extra spaces prevent exact matches; stripping spaces is recommended.

Why this answer

Option B is correct. Leading or trailing spaces in the lookup file or search field are a common cause of mismatches. Option A, file not sorted, is not required for lookups.

Option C, size limit, would cause an error or truncation, not silent failure. Option D, timestamp format, is irrelevant for non-time-based lookups.

116
MCQhard

An engineer runs `| inputlookup asset_lookup.csv | table asset_id asset_name` and gets no results despite the file existing in $SPLUNK_HOME/etc/apps/search/lookups/. The lookup definition is correctly configured. What is the MOST likely cause?

A.The engineer lacks permissions to read the lookup.
B.The lookup file is not in the correct directory.
C.The lookup file has a .csv extension but contains other data.
D.The lookup definition name does not match the filename.
AnswerD

The engineer used the filename, but `inputlookup` expects the lookup definition name.

Why this answer

The `inputlookup` command references a lookup by its definition name, not the filename. Even if the file exists in the correct directory, the command will fail if the lookup definition name in the configuration does not match the filename. Option D is correct because the engineer likely used the filename in the command instead of the lookup definition name.

Exam trap

The trap here is that candidates assume `inputlookup` uses the filename directly, but Splunk requires the lookup definition name, which may differ from the filename.

How to eliminate wrong answers

Option A is wrong because the engineer is running the command from a search head and the lookup file is in the app's lookups directory, which is accessible by default to users with appropriate roles; permission issues would typically produce an error message, not an empty result. Option B is wrong because the file is explicitly stated to exist in $SPLUNK_HOME/etc/apps/search/lookups/, which is the correct directory for app-level lookups. Option C is wrong because a CSV file containing non-CSV data would cause parsing errors or malformed results, not a silent empty result set.

117
MCQmedium

Refer to the exhibit. When a source IP does not match any entry in geo.csv, what values will be added to the event?

A.The search fails with an error
B.No fields are added
C.city and country are set to empty strings
D.city and country are set to 'NotFound'
AnswerD

default_match defines the fallback value for unmatched fields.

Why this answer

Option B is correct because default_match is set to 'NotFound', and OUTPUTNEW adds fields only if they are not already present. In case of no match, the default values 'NotFound' are used for city and country. Option A is incorrect because fields are still added with default values.

Option C is incorrect because default_match overrides null. Option D is incorrect because the search continues successfully.

118
MCQmedium

The exhibit shows an error when using a lookup. What is the most likely missing configuration?

A.The lookup file must be uploaded via the UI instead of placed manually
B.The search head must be configured as a lookup server
C.A lookup definition must be added to transforms.conf
D.The lookup file must be in the $SPLUNK_HOME/etc/system/lookups directory
AnswerC

The lookup definition tells Splunk how to use the file.

Why this answer

When a lookup file is placed in the expected directory but still produces an error, the most common missing configuration is the lookup definition in transforms.conf. This file maps the lookup file to a logical name and specifies its type (e.g., CSV, KV store), which is required for Splunk to recognize and use the lookup in searches. Without this definition, the lookup file exists but is not registered for use.

Exam trap

Splunk often tests the misconception that simply placing a lookup file in the correct directory is enough, when in fact the transforms.conf definition is the critical missing piece that registers the lookup for use.

How to eliminate wrong answers

Option A is wrong because uploading via the UI is not mandatory; placing the lookup file manually in the correct directory is acceptable as long as the transforms.conf definition exists. Option B is wrong because the search head does not need to be configured as a lookup server; lookups are resolved locally on the search head or via distributed lookup configuration, not by designating the search head as a server. Option D is wrong because the default lookup directory is $SPLUNK_HOME/etc/system/lookups, but placing the file there alone is insufficient without the corresponding transforms.conf entry to define the lookup.

119
MCQmedium

A security analyst needs to correlate IP addresses from firewall logs with a lookup table containing known malicious IPs. The lookup table is updated hourly and contains 10,000 entries. Which lookup type should be used to ensure the fastest search performance?

A.File-based CSV lookup
B.External lookup
C.KV Store lookup
D.Geospatial lookup
AnswerA

CSV lookups are loaded into memory and fast for moderate sizes.

Why this answer

A file-based CSV lookup is the correct choice because it is stored entirely in memory on the search head, providing the fastest access for small to medium-sized static datasets (like 10,000 entries). Since the lookup is updated hourly, a CSV file can be reloaded efficiently without the overhead of network calls or database queries, making it ideal for high-speed correlation in security searches.

Exam trap

The trap here is that candidates often choose KV Store lookup (Option C) because it supports dynamic updates, but they overlook that for small, frequently reloaded static datasets, a file-based CSV lookup is faster due to its in-memory caching and lack of network dependency.

How to eliminate wrong answers

Option B is wrong because an external lookup requires a network call to an external script or API, which introduces latency and is slower than a local in-memory lookup. Option C is wrong because a KV Store lookup, while dynamic, uses a key-value store that requires network I/O to the KV Store service, adding overhead compared to a local CSV file. Option D is wrong because a geospatial lookup is designed for geographic coordinates and spatial queries, not for correlating IP addresses with a simple list of known malicious IPs.

120
MCQmedium

An IT administrator notices that a lookup table used to enrich firewall logs is not updating correctly. The lookup file is stored in $SPLUNK_HOME/etc/apps/search/lookups/. What is the most likely cause if the lookup is defined as a 'file-based lookup' with automatic lookup?

A.The lookup file is too large (over 100 MB)
B.The lookup is not referenced in any search
C.The lookup filename contains a space character
D.The lookup file permissions are set to read-only
AnswerC

Spaces in lookup filenames are not supported by Splunk.

Why this answer

Splunk does not support spaces in lookup filenames. A space in the filename causes the lookup to fail. Option B is correct.

121
MCQeasy

A company has a lookup table that contains product prices that change over time. The lookup has a 'valid_from' and 'valid_to' field. Which lookup type should be defined in transforms.conf to automatically match events to the correct price based on the event timestamp?

A.CSV lookup
B.KV Store lookup
C.Time-based lookup
D.External lookup
AnswerC

Time-based lookups are designed for temporal matching.

Why this answer

Time-based lookups use event time to match against time ranges in the lookup table.

122
Multi-Selecteasy

Which two lookup types in Splunk support automatic time-based matching? (Choose 2)

Select 2 answers
A.Time-based lookup
B.File lookup
C.CSV lookup
D.External lookup
E.KV Store lookup
AnswersA, E

Time-based lookups are designed for matching against time ranges.

Why this answer

Time-based lookup (Option A) is correct because it explicitly supports automatic time-based matching by allowing you to define a time range in the lookup definition, which Splunk uses to correlate events based on timestamps. KV Store lookup (Option E) is correct because it supports automatic time-based matching through the `time_field` and `time_format` settings in the lookup definition, enabling Splunk to match events based on time ranges stored in the KV Store collection.

Exam trap

The trap here is that candidates often assume all lookup types support time-based matching, but only Time-based and KV Store lookups have native automatic time-based matching capabilities, while file, CSV, and external lookups require manual time filtering.

123
MCQhard

Where must the file 'departments.csv' be placed for this lookup definition to work?

A.In any directory under $SPLUNK_HOME.
B.In the $SPLUNK_HOME/etc/apps/search/lookups directory.
C.In the $SPLUNK_HOME/etc/system/lookups directory.
D.In the lookups directory of the same app where the transforms.conf is defined.
AnswerD

Splunk resolves relative filenames within the app's lookups directory.

Why this answer

Option C is correct. The filename is relative; Splunk looks for it in the lookups directory of the app where the transforms.conf is defined. Option A is not guaranteed; system lookups are global but not the default for app-specific definitions.

Option B could work if the definition is in the search app, but generally it follows the app context. Option D is incorrect as Splunk does not search all directories.

124
Drag & Dropmedium

Arrange the steps to configure a lookup table file in Splunk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Lookups require uploading the file, then defining the lookup table file in Splunk settings.

125
MCQmedium

A company needs to enrich events with lookup data that changes over time, such as daily exchange rates. Which lookup method is most appropriate?

A.Use a KV Store lookup with a time-range filter in the search
B.Use a file lookup without time context
C.Use a time-based lookup with a time_field parameter
D.Use an index-time lookup
AnswerC

Time-based lookups use the event's _time to select the appropriate row, perfect for time-varying reference data.

Why this answer

Option C is correct because a time-based lookup with a time_field parameter allows the lookup to return different values based on the event timestamp. Option A is incorrect because index-time lookups are static and require reindexing. Option B is incorrect because file lookups without time context cannot handle time-varying data.

Option D is incorrect because KV Store lookups are not time-aware by default.

126
MCQhard

You are a Splunk consultant for a financial services firm. They have a large lookup table containing customer account numbers and risk scores. This lookup is used in a critical compliance search that runs every hour. The search is failing with a memory error 'The search coordinator stopped the search due to memory usage'. You have already tried increasing the memory limit for the search via limits.conf, but the error persists. The lookup file is a CSV file of 2GB, with approximately 20 million rows. The search is: index=compliance sourcetype=transactions | lookup risk_scores.csv account_id OUTPUT risk_score | stats avg(risk_score) by transaction_type. The search runs on a single search head with 16GB RAM. The lookup is defined as static. What is the most effective optimization to resolve the memory error?

A.Use 'inputlookup' with a 'where' clause to filter the lookup to only relevant account IDs before joining.
B.Split the lookup into multiple smaller files and use multiple lookups in the search.
C.Convert the lookup to a KV store collection and use the 'kv' command in the search.
D.Use 'lookup local=false' in the search to distribute the lookup to indexers.
AnswerC

KV store uses memory-mapped files and is efficient for large lookups.

Why this answer

Option D is correct because converting to KV store reduces memory footprint. Option A is wrong because splitting files increases complexity without resolving memory. Option B is wrong because local=false distributes to indexers but still loads file.

Option C is wrong because inputlookup with where still loads all rows.

127
MCQhard

You are a Splunk administrator for a multi-site deployment with two data centers: primary and remote. Users on the remote site report that a lookup used in a dashboard returns no results for data from their site, but the same lookup works perfectly on the primary site. The lookup is defined with 'local=true' in the transforms.conf. The lookup file is stored on the primary search head. The remote site has its own search head that queries data from both sites. The dashboard search is: index=main | lookup site_mapping.csv site_id OUTPUT location | stats count by location. Users on the remote site see rows with location=null for their data. What is the most likely cause?

A.The lookup is configured to only run on the search head that indexes the data, which is the primary site.
B.The lookup definition needs 'local=false' to be available to remote search heads for distributed searches.
C.The lookup file is not replicated to the remote search head, so it cannot be accessed when local=true.
D.The remote site has a firewall blocking access to the lookup file on the primary search head.
AnswerC

local=true means file must be on the search head running the search.

Why this answer

Option C is correct because local=true requires the file on the search head; remote search head lacks the file. Option A is wrong because the lookup is not tied to indexers. Option B is wrong because firewall is less likely.

Option D is wrong because local=false would change behavior but not the root cause.

← PreviousPage 2 of 2 · 127 questions total

Ready to test yourself?

Try a timed practice session using only Advanced Viz Lookups questions.