Sample questions
Splunk Core Certified User SPLK-1002 practice questions
During a data model acceleration build, the following error appears in splunkd.log: 'Data model acceleration: not enough memory to complete summary build.' Which best practice should the administrator implement to prevent this error?
Trap 1: Remove unnecessary fields from the data model to reduce complexity.
Removing fields may help but memory error is about process allocation, not field count.
Trap 2: Reduce the summary range to less than 7 days.
Reducing range may reduce memory needs but is not a direct fix for memory allocation.
Trap 3: Use tstats instead of data model acceleration for queries.
tstats relies on acceleration; it does not address the build memory error.
- A
Remove unnecessary fields from the data model to reduce complexity.
Why wrong: Removing fields may help but memory error is about process allocation, not field count.
- B
Increase the memory allocation for the data model acceleration process.
The error indicates insufficient memory; increasing allocation resolves it.
- C
Reduce the summary range to less than 7 days.
Why wrong: Reducing range may reduce memory needs but is not a direct fix for memory allocation.
- D
Use tstats instead of data model acceleration for queries.
Why wrong: tstats relies on acceleration; it does not address the build memory error.
Which TWO are best practices for creating data models in Splunk? (Choose two.)
Trap 1: Base data models on indexed fields rather than search-time…
Data models work with search-time fields; indexed fields are not directly referenced.
Trap 2: Create many-to-many relationships between root events and child…
Many-to-many relationships are complex and can degrade performance.
Trap 3: Include all available fields to ensure maximum flexibility.
Including all fields increases complexity and reduces acceleration performance.
- A
Use data model acceleration to improve query performance on large datasets.
Acceleration pre-computes summaries for faster searches.
- B
Base data models on indexed fields rather than search-time extracted fields.
Why wrong: Data models work with search-time fields; indexed fields are not directly referenced.
- C
Design data models based on the specific use cases and queries they will support.
Focused data models improve performance and maintainability.
- D
Create many-to-many relationships between root events and child datasets.
Why wrong: Many-to-many relationships are complex and can degrade performance.
- E
Include all available fields to ensure maximum flexibility.
Why wrong: Including all fields increases complexity and reduces acceleration performance.
A user reports that a data model acceleration is consuming excessive disk space on the indexer. The data model has a summary range of 90 days. Which action is best to reduce disk space usage while maintaining acceptable query performance?
Trap 1: Increase the acceleration frequency to rebuild summaries more often.
More frequent rebuilds may increase disk I/O but not reduce space.
Trap 2: Disable acceleration for the data model.
Disabling acceleration removes all summaries, impacting query performance.
Trap 3: Delete old indexed data that is not frequently queried.
Deleting indexed data is drastic and may violate retention policies.
- A
Increase the acceleration frequency to rebuild summaries more often.
Why wrong: More frequent rebuilds may increase disk I/O but not reduce space.
- B
Reduce the summary range to 30 days.
A shorter summary range reduces the amount of summary data, saving disk space.
- C
Disable acceleration for the data model.
Why wrong: Disabling acceleration removes all summaries, impacting query performance.
- D
Delete old indexed data that is not frequently queried.
Why wrong: Deleting indexed data is drastic and may violate retention policies.
A security analyst wants to investigate a suspicious IP address that appeared in multiple log sources. Which Splunk feature is best suited to quickly find all events containing that IP across all indexed data?
Trap 1: Data Summary
Data Summary lists sourcetypes and indexes, not search results.
Trap 2: Dashboard panel
Dashboards display saved searches, not ad-hoc queries.
Trap 3: Alert action
Alerts send notifications based on saved searches, not immediate investigation.
- A
Data Summary
Why wrong: Data Summary lists sourcetypes and indexes, not search results.
- B
Dashboard panel
Why wrong: Dashboards display saved searches, not ad-hoc queries.
- C
Alert action
Why wrong: Alerts send notifications based on saved searches, not immediate investigation.
- D
Search bar in the Search & Reporting app
The search bar allows running a query across all data.
A search includes the command '| stats dc(user) by host'. What does this command return?
Trap 1: The number of unique hosts per user
Grouped by host, not user.
Trap 2: The count of events per host
dc(user) is distinct count, not event count.
Trap 3: The sum of user values per host
Sum is not applicable to strings.
- A
The number of unique hosts per user
Why wrong: Grouped by host, not user.
- B
The count of events per host
Why wrong: dc(user) is distinct count, not event count.
- C
The sum of user values per host
Why wrong: Sum is not applicable to strings.
- D
The number of distinct users per host
dc(user) counts distinct users.
A large e-commerce company uses Splunk to monitor their web application. The operations team has noticed that the search for tracking user sessions is taking too long and consuming excessive resources. The current search is:
index=web sourcetype=access_combined | stats count by clientip, sessionid, productid | sort - count
The index contains over 10 billion events per day. The team wants to reduce the search time while still being able to identify the top 10 most active sessions (combinations of clientip and sessionid) that involve more than 5 product views. They also need to exclude any sessions that originated from internal IPs (10.0.0.0/8). Which approach would achieve this most efficiently?
Trap 1: Use 'eventstats count by clientip, sessionid' and then filter where…
eventstats does not reduce events, still processes all.
Trap 2: Use the 'transaction' command to group events by clientip and…
Transaction is more resource-intensive than stats.
Trap 3: Add a 'where' command after stats to filter out internal IPs and…
Internal IPs are not filtered early, still processes all data.
- A
Use 'eventstats count by clientip, sessionid' and then filter where count > 5, then sort and head.
Why wrong: eventstats does not reduce events, still processes all.
- B
Use the 'transaction' command to group events by clientip and sessionid, then filter by duration.
Why wrong: Transaction is more resource-intensive than stats.
- C
Add a 'where' command after stats to filter out internal IPs and use 'head 10' at the end.
Why wrong: Internal IPs are not filtered early, still processes all data.
- D
Add 'clientip!=10.0.0.0/8' in the base search, then use 'stats count by clientip, sessionid', then 'where count>5', then 'sort - count | head 10'.
Filters early, uses efficient stats, then filters and sorts on reduced data.
You are a Splunk admin for a large enterprise with multiple distributed Splunk components. The security team frequently runs searches that use a large CSV lookup file (500MB) containing threat intelligence indicators. They report that searches are slow and sometimes time out. The lookup file is updated hourly via an automated script. The team currently uses the 'lookup' command in every search. You need to improve performance without sacrificing data freshness. Your environment has a search head cluster and indexer cluster. The lookup file is stored on a shared filesystem accessible to all search heads. Which single approach will best improve search performance while maintaining hourly updates?
Trap 1: Increase the search concurrency limit on the search head to allow…
Concurrency helps with multiple searches, not single search performance.
Trap 2: Convert the CSV to a KV Store collection and use the 'lookup'…
KV Store may not be faster for large static datasets and adds complexity.
Trap 3: Move the CSV file to each indexer and use index-time field lookup.
Index-time lookups are deprecated and not recommended; search-time is standard.
- A
Configure the lookup as a time-based lookup with a filter condition to only apply to events with matching IP fields, and use automatic lookup to avoid manual command.
Time-based lookups and filtering reduce the number of events processed, improving speed.
- B
Increase the search concurrency limit on the search head to allow more parallel lookups.
Why wrong: Concurrency helps with multiple searches, not single search performance.
- C
Convert the CSV to a KV Store collection and use the 'lookup' command with the KV Store lookup.
Why wrong: KV Store may not be faster for large static datasets and adds complexity.
- D
Move the CSV file to each indexer and use index-time field lookup.
Why wrong: Index-time lookups are deprecated and not recommended; search-time is standard.
A security team wants to create a data model to analyze authentication events from multiple sources (Windows Event Log, Linux syslog, and VPN logs). The data model should normalize the fields for user, source IP, and action (success/failure). Which Splunk best practice should be applied when designing this data model?
Trap 1: Use event types to categorize authentication events and then create…
Event types are for tagging, not for normalizing fields in a data model.
Trap 2: Create separate data models for each data source to avoid field…
Separate data models would hinder cross-source correlation and analysis.
Trap 3: Create field aliases in props.conf for each source to rename fields…
While field aliases help, the recommended practice is to use CIM field mapping within the data model itself.
- A
Use event types to categorize authentication events and then create a data model based on event types.
Why wrong: Event types are for tagging, not for normalizing fields in a data model.
- B
Create separate data models for each data source to avoid field conflicts.
Why wrong: Separate data models would hinder cross-source correlation and analysis.
- C
Define a single data model that maps fields to the Common Information Model (CIM).
Using CIM field mapping allows normalization and correlation across different sources.
- D
Create field aliases in props.conf for each source to rename fields to a common name, then use a simple data model.
Why wrong: While field aliases help, the recommended practice is to use CIM field mapping within the data model itself.
What is the purpose of this search?
Exhibit
Refer to the exhibit. index=web sourcetype=access_combined | stats count by status | sort - count | head 5
Trap 1: To list the first 5 status codes in alphabetical order.
Sort is by count, not status code.
Trap 2: To filter events with status codes that appear less than 5 times.
No filter on count value.
Trap 3: To show the 5 most recent events sorted by status code.
head 5 returns first 5 after sort, not most recent.
- A
To list the first 5 status codes in alphabetical order.
Why wrong: Sort is by count, not status code.
- B
To filter events with status codes that appear less than 5 times.
Why wrong: No filter on count value.
- C
To display the 5 most common HTTP status codes in the web index.
Counts by status, sorts descending, top 5.
- D
To show the 5 most recent events sorted by status code.
Why wrong: head 5 returns first 5 after sort, not most recent.
A user notices that a calculated field defined in props.conf is not appearing in search results. Which of the following is the most likely cause?
Trap 1: The calculated field requires index-time field extraction.
Calculated fields are search-time only.
Trap 2: The calculated field is defined in a field alias configuration.
Field aliases are defined differently and do not calculate values.
Trap 3: The indexer is not configured to apply calculated fields.
Calculated fields are applied by the search head, not indexers.
- A
The calculated field requires index-time field extraction.
Why wrong: Calculated fields are search-time only.
- B
The source fields used in the calculation are not extracted.
Calculated fields depend on source fields being available.
- C
The calculated field is defined in a field alias configuration.
Why wrong: Field aliases are defined differently and do not calculate values.
- D
The indexer is not configured to apply calculated fields.
Why wrong: Calculated fields are applied by the search head, not indexers.
A user wants to create a pie chart showing the distribution of error types from web server logs. Which Splunk command should be used to group the errors before visualization?
Trap 1: table
table only displays fields without aggregation.
Trap 2: eval
eval creates or modifies fields but does not aggregate data.
Trap 3: top
top shows the most common values but does not output a count field suitable for pie chart.
- A
table
Why wrong: table only displays fields without aggregation.
- B
eval
Why wrong: eval creates or modifies fields but does not aggregate data.
- C
top
Why wrong: top shows the most common values but does not output a count field suitable for pie chart.
- D
stats count by error_type
This returns the count per error type, which can be visualized as a pie chart.
Which TWO statements about designing Splunk data models are correct? (Choose two.)
Trap 1: Data models are stored on indexers for faster access.
Data models are defined on the search head, not stored on indexers.
Trap 2: Data models require acceleration to be used in searches.
Acceleration is optional; data models can be used without it.
Trap 3: A data model must contain exactly one root dataset.
Data models can have multiple root datasets.
- A
Root events in a data model can be constrained using a constraint string.
Constraints filter events that become part of the root dataset.
- B
Data models are stored on indexers for faster access.
Why wrong: Data models are defined on the search head, not stored on indexers.
- C
Data models can include fields that are extracted at search time.
Data models can use both indexed and search-time extracted fields.
- D
Data models require acceleration to be used in searches.
Why wrong: Acceleration is optional; data models can be used without it.
- E
A data model must contain exactly one root dataset.
Why wrong: Data models can have multiple root datasets.
A security analyst has created a report that shows the count of failed login attempts by user. The analyst now wants to display this data as a column chart on a dashboard. Which Splunk feature should be used to convert the report into a visualization?
Trap 1: Schedule the report to run and then export the results as a PDF.
This only generates a PDF, not a dashboard visualization.
Trap 2: Convert the report to an alert and then add it to the dashboard.
Converting to alert does not create a visualization; it sets up alert conditions.
Trap 3: Copy the report's search string and paste it into a new dashboard…
While possible, it is not the intended feature and may require additional formatting.
- A
Schedule the report to run and then export the results as a PDF.
Why wrong: This only generates a PDF, not a dashboard visualization.
- B
Use the 'Save As Dashboard Panel' option on the report.
This option directly creates a visualization panel on a dashboard from the report.
- C
Convert the report to an alert and then add it to the dashboard.
Why wrong: Converting to alert does not create a visualization; it sets up alert conditions.
- D
Copy the report's search string and paste it into a new dashboard panel.
Why wrong: While possible, it is not the intended feature and may require additional formatting.
Which TWO of the following are valid ways to add a visualization to a dashboard in Splunk?
Trap 1: Use the 'Edit' button on an existing panel to change it to a new…
Editing changes existing panel, does not add a new visualization.
Trap 2: Export a report as a PDF and upload it as an image panel.
PDF export is for external use, not for dynamic dashboard panels.
Trap 3: Set up an alert and configure it to add a panel to the dashboard.
Alerts can trigger actions but do not directly add panels to dashboards.
- A
Use the 'Edit' button on an existing panel to change it to a new visualization.
Why wrong: Editing changes existing panel, does not add a new visualization.
- B
Create a new panel in the dashboard editor and select a visualization type.
Direct method via dashboard editor.
- C
Export a report as a PDF and upload it as an image panel.
Why wrong: PDF export is for external use, not for dynamic dashboard panels.
- D
Convert a saved report to a dashboard panel using the 'Save As Dashboard Panel' option.
This is a standard way to add a visualization from a report.
- E
Set up an alert and configure it to add a panel to the dashboard.
Why wrong: Alerts can trigger actions but do not directly add panels to dashboards.
An IT operations team has a dashboard with multiple panels showing server metrics. Each panel uses a separate search that runs every time the dashboard is loaded, causing slow performance. What is the best practice to improve dashboard load time?
Trap 1: Reduce the time range picker to the last 24 hours.
This may omit necessary data and doesn't address search redundancy.
Trap 2: Combine all searches into one large search and use eval to separate…
Complex evals can be inefficient and hard to maintain; post-process is recommended.
Trap 3: Add more panels to distribute the data load.
More panels mean more searches, worsening performance.
- A
Use a base search and post-process searches for dependent panels.
This allows sharing search results across panels, reducing overall search execution.
- B
Reduce the time range picker to the last 24 hours.
Why wrong: This may omit necessary data and doesn't address search redundancy.
- C
Combine all searches into one large search and use eval to separate results.
Why wrong: Complex evals can be inefficient and hard to maintain; post-process is recommended.
- D
Add more panels to distribute the data load.
Why wrong: More panels mean more searches, worsening performance.
Refer to the exhibit. A Splunk user is building a data model for Apache error logs. The configuration above extracts an error_type field. However, when previewing data in the data model, the error_type field is not available. What is the most likely cause?
Exhibit
Refer to the exhibit. # props.conf [apache_error] TRANSFORMS-set = set_error_type # transforms.conf [set_error_type] REGEX = \[(error|warn|info)\] FORMAT = error_type::$1 DEST_KEY = _meta
Trap 1: The regular expression in transforms.conf is incorrectly formatted.
The regex correctly captures error, warn, or info.
Trap 2: The transforms.conf is in the wrong app context.
App context would not prevent the field from being available if configured correctly.
Trap 3: The transform name in props.conf does not match the transform name…
The names match: 'set_error_type'.
- A
The regular expression in transforms.conf is incorrectly formatted.
Why wrong: The regex correctly captures error, warn, or info.
- B
The transforms.conf is in the wrong app context.
Why wrong: App context would not prevent the field from being available if configured correctly.
- C
The transform name in props.conf does not match the transform name in transforms.conf.
Why wrong: The names match: 'set_error_type'.
- D
The DEST_KEY is set to _meta, which does not make the field available for data models.
_meta stores the value in internal metadata, not as an indexed or search-time field.
A security analyst wants to enrich authentication logs with a lookup table containing user department and manager information. Which TWO statements are true about using lookups in Splunk?
Trap 1: Once a lookup is defined, it cannot be updated.
Lookups can be updated by replacing the file or modifying the KV store.
Trap 2: Lookups can only be created from CSV files.
Lookups can be created from CSV, KV store, or defined as external.
Trap 3: Lookups can only match on a single field.
Lookups can match on multiple fields.
- A
Once a lookup is defined, it cannot be updated.
Why wrong: Lookups can be updated by replacing the file or modifying the KV store.
- B
The inputlookup command can be used to load a lookup file into a search.
inputlookup loads the lookup table into the search results.
- C
Lookups can only be created from CSV files.
Why wrong: Lookups can be created from CSV, KV store, or defined as external.
- D
Lookups can only match on a single field.
Why wrong: Lookups can match on multiple fields.
- E
Automatic lookups can be configured in props.conf and transforms.conf.
Automatic lookups are configured via props.conf and transforms.conf.
Which of the following are true about creating and managing dashboards in Splunk? (Choose all that apply. There are four correct answers.)
A Splunk administrator is configuring a lookup to enrich firewall logs with a static CSV file containing allowed IP ranges. Which TWO statements about lookup configuration are correct?
Trap 1: A KV Store lookup is required for static tables.
KV Store is for dynamic collections, not static files.
Trap 2: The lookup is defined in macros.conf.
Lookup definitions are in transforms.conf.
Trap 3: The CSV file must be placed in an absolute path on the search head.
Splunk uses relative paths within the app directory.
- A
A KV Store lookup is required for static tables.
Why wrong: KV Store is for dynamic collections, not static files.
- B
The lookup definition must include the fields to match on from the event data.
Matching fields are required to relate the lookup table to events.
- C
The CSV file can be uploaded through the Lookups menu in Settings.
Static CSV files can be uploaded via the Lookups menu.
- D
The lookup is defined in macros.conf.
Why wrong: Lookup definitions are in transforms.conf.
- E
The CSV file must be placed in an absolute path on the search head.
Why wrong: Splunk uses relative paths within the app directory.
An administrator notices that a user's search is timing out after 60 seconds. The search needs up to 5 minutes to complete. What should the administrator do?
Trap 1: Reduce the time range of the search to run faster.
This changes the search, not solves the timeout.
Trap 2: Change the search to a real-time search to avoid timeout.
Real-time searches have their own timeout limits.
Trap 3: Increase the 'Search Timeout' setting in system settings.
No such global setting exists.
- A
Reduce the time range of the search to run faster.
Why wrong: This changes the search, not solves the timeout.
- B
Adjust the 'Search Results Retention' in the user's account preferences.
This setting controls how long Splunk waits for results before timing out.
- C
Change the search to a real-time search to avoid timeout.
Why wrong: Real-time searches have their own timeout limits.
- D
Increase the 'Search Timeout' setting in system settings.
Why wrong: No such global setting exists.
A user runs a search and sees the results in the Statistics tab, but the events are not appearing. What is the most likely reason?
Trap 1: The search is a scheduled search.
Scheduled searches also show events if not transformed.
Trap 2: The user does not have permission to view raw events.
Permissions would show an error, not just missing events.
Trap 3: The time range is too narrow.
Time range affects results but does not hide events behind statistics.
- A
The search is a scheduled search.
Why wrong: Scheduled searches also show events if not transformed.
- B
The user does not have permission to view raw events.
Why wrong: Permissions would show an error, not just missing events.
- C
The search includes a transforming command like stats.
Transforming commands produce statistical tables, not event lists.
- D
The time range is too narrow.
Why wrong: Time range affects results but does not hide events behind statistics.
Drag and drop the steps to add a new data input using Splunk Web (e.g., monitor a log file) into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to troubleshoot a Splunk search that returns no results into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to configure a Splunk alert that sends an email when a specific condition is met into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.