The answer is C, because the `search` command cannot interpret wildcards on extracted fields, treating `10.0*` as a literal string instead of a pattern. In Splunk, when you use `search ip=10.0*`, the asterisk is not recognized as a wildcard for field-value comparisons; the `search` command only supports wildcards on raw event text, not on structured, extracted fields. To perform wildcard pattern matching on extracted fields, you must use the `where` command with the `like` operator (e.g., `where ip like "10.0%"`) or a regex function. This question tests your understanding of Splunk’s search-time field extraction and command limitations, a common trap on the SPLK-1003 exam where candidates mistakenly assume `search` behaves like `where`. Remember the memory tip: "Search for raw, Where for parsed"—use `search` for wildcards in raw text, but switch to `where` with `like` when matching patterns on extracted fields.
SPLK-1003 Advanced Searching and Statistics Practice Question
This SPLK-1003 practice question tests your understanding of advanced searching and statistics. Read the scenario carefully and evaluate each option against the stated constraints before committing to an answer. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.
Exhibit
index=main sourcetype=syslog
| rex field=_raw "User (?<user>\w+) logged in from (?<ip>\d+\.\d+\.\d+\.\d+)"
| search ip="10.0.*"
| table user, ip
Refer to the exhibit. The search is intended to display users who logged in from IP addresses starting with 10.0, but returns no results. What is the most likely cause?
Clue words in this question
Noticing these words before you look at the options changes how you read each choice.
Clue: "most likely"
Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.
Correct answer & explanation
✓
The `search` command should be `where` to use wildcard on extracted fields.
The search uses `search ip=10.0*` which attempts to apply a wildcard pattern to an extracted field. However, the `search` command does not support wildcards for field-value comparisons; it treats `10.0*` as a literal string. To use wildcards on extracted fields, the `where` command with a `like` operator (e.g., `where ip like "10.0%"`) or a regex match is required. This is why option C is correct.
Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Answer analysis
Option-by-option breakdown
For each option: why learners choose it and why it is or isn't the right answer here.
✗
The regex pattern is incorrect.
Why it's wrong here
The regex appears correct for typical syslog formats.
✗
The field 'ip' is not extracted properly.
Why it's wrong here
The regex seems correct, and the issue is more likely the use of `search` on an extracted field.
✓
The `search` command should be `where` to use wildcard on extracted fields.
Why this is correct
For extracted (non-indexed) fields, `search` may not support wildcards efficiently; `where` with `like` is appropriate.
Clue confirmation
The clue word "most likely" in the question point toward this answer.
Related concept
Read the scenario before looking for a memorised answer.
✗
The index should be specified at the beginning of the search.
Why it's wrong here
The index is already specified at the beginning.
Common exam traps
Common exam trap: answer the scenario, not the keyword
Splunk often tests the misconception that the `search` command supports wildcards for extracted fields, leading candidates to overlook the need for `where` or `regex` commands for pattern matching on field values.
Detailed technical explanation
How to think about this question
In Splunk, the `search` command treats field-value pairs as exact matches or uses implicit wildcards only on raw text, not on extracted fields. The `where` command, by contrast, supports SQL-like operators such as `like` and `match` for pattern matching on fields. Under the hood, `search ip=10.0*` is interpreted as a literal string comparison, so it fails to match IPs like 10.0.1.2. This distinction is critical when filtering structured data versus raw events.
KKey Concepts to Remember
Read the scenario before looking for a memorised answer.
Find the constraint that changes the correct option.
Eliminate answers that are true in general but not in this case.
TExam Day Tips
→Watch for words such as best, first, most likely and least administrative effort.
→Review why wrong options are wrong, not only why the correct option is correct.
Key takeaway
Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.
Real-world example
How this comes up in practice
A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.
What to study next
Got this wrong? Here's your next step.
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Advanced Searching and Statistics — This question tests Advanced Searching and Statistics — Read the scenario before looking for a memorised answer..
What is the correct answer to this question?
The correct answer is: The `search` command should be `where` to use wildcard on extracted fields. — The search uses `search ip=10.0*` which attempts to apply a wildcard pattern to an extracted field. However, the `search` command does not support wildcards for field-value comparisons; it treats `10.0*` as a literal string. To use wildcards on extracted fields, the `where` command with a `like` operator (e.g., `where ip like "10.0%"`) or a regex match is required. This is why option C is correct.
What should I do if I get this SPLK-1003 question wrong?
Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.
Are there clue words in this question I should notice?
Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.
What is the key concept behind this question?
Read the scenario before looking for a memorised answer.
About these practice questions
Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
This SPLK-1003 practice question is part of Courseiva's free Splunk certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the SPLK-1003 exam.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.