SPLK-1003 · topic practice

Macros, Saved Searches and CIM practice questions

Practise Splunk Core Certified Power User SPLK-1003 Macros, Saved Searches and CIM practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Macros, Saved Searches and CIM

What the exam tests

What to know about Macros, Saved Searches and CIM

Macros, Saved Searches and CIM questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Macros, Saved Searches and CIM exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Macros, Saved Searches and CIM questions

20 questions · select your answer, then reveal the explanation

A security analyst wants to create a macro that extracts IP addresses from a field named `src_ip` and returns a count of unique IPs per source. Which macro definition accomplishes this?

A team regularly runs a saved search that joins two large indexes. Performance is poor. Which design change would MOST improve query performance?

An admin created a macro `myfilter(host)` with definition: `host=$host$ | stats count`. When calling `myfilter(webserver)`, the search returns no results. What is the most likely cause?

Which TWO of the following are valid uses of the Common Information Model (CIM) in Splunk?

Which THREE of the following are best practices for creating saved searches?

Which TWO of the following are valid ways to reference a macro in a search?

A Splunk administrator notices that a scheduled saved search `Daily Summary` fails every day at 2:00 AM with the error "Search job expired due to inactivity." The search runs against a large index and takes about 30 minutes to complete. What is the most likely cause?

A security analyst wants to create a saved search that triggers an alert when more than 100 failed login attempts occur within a 5-minute window from the same source IP. The search should run every 5 minutes and alert only once per window. Which setting should be configured?

A Splunk admin wants to create a macro that extracts the username from a log line that always starts with 'User: <username>'. The macro should be reusable across searches. Which definition is correct?

An organization uses Splunk CIM to normalize data from multiple sources. They have a custom data source that logs firewall events with a field 'action' containing values 'accept', 'deny', 'drop'. They want to map this to the CIM field 'action'. Which configuration is required?

A Splunk admin notices that a saved search scheduled to run every 10 minutes is consistently taking 15 minutes to complete, causing overlapping runs. The search aggregates data across multiple indexes and uses a large time window. What is the best way to prevent overlap and ensure the search completes?

Which TWO of the following are valid ways to create a macro in Splunk? (choose two)

Which THREE of the following are components of the Splunk Common Information Model (CIM)? (choose three)

A user wants to create a macro that calculates the average response time for web requests. The macro should accept a field name as an argument and return the average. Which syntax is correct for defining the macro?

What is the most likely cause of the error?

Exhibit

Refer to the exhibit.
The following macro definition is saved in a Splunk environment:
```
[name="my_macro"]
args = host, index, sourcetype
definition = search index=$index$ host=$host$ sourcetype=$sourcetype$
```
When a user runs `| `my_macro(index=main host=web01 sourcetype=access_combined)``, they receive the error: "Error in 'search' command: Unable to parse the search: Expected '(', found end of command."
Question 16easymultiple choice
Read the full NAT/PAT explanation →

A security analyst needs to monitor failed login attempts across multiple Windows domain controllers. The environment has a custom sourcetype 'WinEventLog:Security' and the data is indexed under 'windows_security'. The analyst wants to create a saved search that runs every 10 minutes, searches for EventCode 4625 (failed logon), and triggers an alert if more than 10 failures occur from the same source IP within the last 10 minutes. The saved search should use the Common Information Model (CIM) to ensure compatibility with other security apps. Which of the following saved search definitions best meets these requirements?

Question 17mediummultiple choice
Read the full NAT/PAT explanation →

A Splunk administrator notices that a scheduled saved search titled 'Nightly_Threat_Report' is not completing on time. The search runs at 2:00 AM daily and typically takes 15 minutes, but recently it has been timing out after 30 minutes. The search query is complex, joining data from multiple indexes. The administrator checks the 'savedsearch.log' and sees entries like 'Search job terminated due to dispatch time limit' and 'Search job exceeded max time'. The administrator wants to resolve the issue without changing the search logic or increasing system resource limits. Which action should the administrator take first?

Which TWO of the following are valid reasons to use the Common Information Model (CIM) in a Splunk environment?

A Splunk admin has created several macros to simplify complex search commands. One macro, named `time_filter`, is defined as `earliest=-7d@d latest=@d`. The admin also has a saved search that uses this macro. Recently, users have complained that the saved search reports data from the wrong time range: it appears to be showing data from the last 24 hours instead of the last 7 days. The admin inspects the saved search and finds that the search string is:

`index=main | eval days=now() | where days > relative_time(now(), "-7d@d") | `time_filter``

The admin suspects the macro is not being expanded correctly. Which of the following is the most likely cause of the issue?

Order the steps to configure a field extraction using the Field Extractor (FX) in Splunk.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Macros, Saved Searches and CIM sessions

Start a Macros, Saved Searches and CIM only practice session

Every question in these sessions is drawn from the Macros, Saved Searches and CIM domain — nothing else.

Related practice questions

Related SPLK-1003 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SPLK-1003 exam test about Macros, Saved Searches and CIM?
Macros, Saved Searches and CIM questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Macros, Saved Searches and CIM questions in a focused session?
Yes — the session launcher on this page draws every question from the Macros, Saved Searches and CIM domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SPLK-1003 topics?
Use the topic links above to move to related areas, or go back to the SPLK-1003 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SPLK-1003 exam covers. They are not copied from any real exam or dump site.