Splunk Core Certified User SPLK-1002 (SPLK-1002) — Questions 151225

510 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQeasy

A user wants to see the top 10 source IP addresses generating 404 errors. Which SPL is correct?

A.index=web status=404 | top src_ip
B.index=web status=404 | sort src_ip
C.index=web | top src_ip
D.index=web status=404 | rare src_ip
AnswerA

top returns the most frequent values of src_ip.

Why this answer

Option A is correct because it first filters events with `index=web status=404` to isolate only 404 errors, then uses the `top` command to count occurrences of each `src_ip` value and return the top 10 by default. This directly answers the user's request for the top 10 source IPs generating 404 errors.

Exam trap

The trap here is that candidates may confuse `top` with `sort` or `rare`, or forget to filter by `status=404`, leading them to choose options that either sort alphabetically, show least common values, or ignore the error condition entirely.

How to eliminate wrong answers

Option B is wrong because `sort src_ip` sorts the results alphabetically by source IP, not by frequency, so it does not show the top 10 IPs generating errors. Option C is wrong because it omits the `status=404` filter, returning top source IPs across all status codes, not just 404 errors. Option D is wrong because `rare` returns the least common values, not the most common (top) source IPs.

152
MCQhard

A dashboard uses a drilldown on a table to navigate to another dashboard. After migration to a different Splunk instance, the drilldown links are broken. What is the best practice to avoid this issue?

A.Use token variables like $host$ in the link
B.URL-encode the dashboard name
C.Use absolute URLs with the full server name
D.Use relative paths like /app/search/dashboard_name
AnswerD

Relative paths remain valid across instances.

Why this answer

Option D is correct because using relative paths (e.g., `/app/search/dashboard_name`) ensures that the drilldown link remains valid after migration to a different Splunk instance. Absolute URLs with the full server name (Option C) break when the hostname or port changes, while token variables like `$host$` (Option A) are not resolved in drilldown links. URL-encoding the dashboard name (Option B) is unnecessary because Splunk dashboard names are already URL-safe and encoding does not address the root cause of broken links.

Exam trap

The trap here is that candidates often confuse token variables (which work in searches) with drilldown link fields, leading them to choose Option A, or they mistakenly think URL-encoding (Option B) solves migration issues, when the real problem is the hardcoded hostname in absolute URLs.

How to eliminate wrong answers

Option A is wrong because token variables like `$host$` are not evaluated in drilldown link fields; they are only resolved in search strings or form inputs, not in static HTML links. Option B is wrong because URL-encoding the dashboard name does not fix the underlying issue of absolute host references; it only handles special characters, which are rarely present in dashboard names. Option C is wrong because absolute URLs with the full server name hardcode the host and port, which will break when the Splunk instance is migrated to a different server or port.

153
MCQmedium

A user creates a calculated field that extracts the domain from email addresses using the expression `| rex field=email "(?P<domain>@\w+\.\w+)"`. However, the calculated field does not appear in search results. What is the most likely reason?

A.Calculated fields must be enabled in props.conf with REPORT clauses.
B.Calculated fields are only applied at search time, not index time.
C.The field extraction is incorrect.
D.Calculated fields must be used with the `eval` command.
AnswerA

Requires proper configuration.

Why this answer

Option A is correct because calculated fields in Splunk require explicit configuration in props.conf using a REPORT clause to define the extraction. Without this configuration, the calculated field is not available for use in searches, even if the extraction expression is valid. The user's calculated field definition is missing the necessary props.conf setup, so it never gets applied.

Exam trap

The trap here is that candidates assume a valid regex in a calculated field definition is sufficient for it to appear in results, overlooking the mandatory props.conf configuration step that Splunk requires for persistent field extractions.

How to eliminate wrong answers

Option B is wrong because calculated fields are applied at search time, not index time, which is actually the default behavior and does not prevent the field from appearing; the issue is the lack of props.conf configuration. Option C is wrong because the regular expression `(?P<domain>@\w+\.\w+)` is syntactically correct for extracting the domain from an email address, so the extraction itself is not the problem. Option D is wrong because calculated fields are defined in props.conf and do not require the `eval` command; `eval` is used for ad-hoc field creation in searches, not for persistent calculated fields.

154
Multi-Selecthard

Which TWO statements about designing Splunk data models are correct? (Choose two.)

Select 2 answers
A.Root events in a data model can be constrained using a constraint string.
B.Data models are stored on indexers for faster access.
C.Data models can include fields that are extracted at search time.
D.Data models require acceleration to be used in searches.
E.A data model must contain exactly one root dataset.
AnswersA, C

Constraints filter events that become part of the root dataset.

Why this answer

Option A is correct because a root event in a data model can be constrained using a constraint string, which is a search expression that filters the events included in that dataset. This allows you to define a subset of data for the root dataset without modifying the underlying indexed data.

Exam trap

The trap here is that candidates often confuse data model storage location (search head vs. indexers) and assume acceleration is mandatory, when in fact data models are metadata-only and acceleration is a performance optimization, not a requirement.

155
MCQmedium

Refer to the exhibit. The pie chart shows only 10 slices, but the base search stats returns all destinations. What is the reason?

A.The post-process search includes | top limit=10 dest
B.The eval command changes the dest field
C.The base search time range is too small
D.The charting option 'chart' is set to 'pie'
AnswerA

This command reduces the results to the top 10 destinations, causing only 10 slices.

Why this answer

The base search returns all destinations, but the pie chart shows only 10 slices because the post-process search uses the `| top limit=10 dest` command. The `top` command limits the results to the top 10 values of the `dest` field by count, and this post-process search is applied after the base search, so only those 10 slices are displayed in the pie chart.

Exam trap

The trap here is that candidates may think the pie chart itself limits the number of slices (option D) or that the base search time range is responsible, but the actual cause is the `| top limit=10` command in the post-process search, which explicitly restricts the output to 10 results.

How to eliminate wrong answers

Option B is wrong because the `eval` command changes or creates a field, but it does not inherently limit the number of results; it would not cause only 10 slices to appear. Option C is wrong because the time range of the base search affects the data retrieved, but it does not directly limit the number of distinct `dest` values to exactly 10; the pie chart would still show all destinations from that time range. Option D is wrong because setting the charting option 'chart' to 'pie' only defines the visualization type; it does not impose a limit on the number of slices shown.

156
MCQeasy

A new Splunk user wants to see all events from the last 30 minutes, but the search returns no results. The user knows data is being indexed. Which is the most likely cause?

A.The time range picker is set to 'All time' but the user expects 'Last 30 minutes'.
B.Data is not yet indexed.
C.The search is restricted to index=_internal.
D.The search string has a typo in the time modifier.
AnswerA

Time range picker overrides any time modifiers in the search string.

Why this answer

Option A is correct because the most common reason a search returns no results when data is known to be indexed is an incorrect time range picker setting. If the picker is set to 'All time', it will only show events from the beginning of the index, but if the user expects events from the last 30 minutes, they must select 'Last 30 minutes' or a custom relative time. The time range picker overrides any time modifiers in the search string, so even a correct search string will fail if the picker is set to a non-overlapping range.

Exam trap

The trap here is that candidates assume a search string with a time modifier (like '-30m') will override the time range picker, but Splunk's time range picker always takes precedence unless the search explicitly uses 'earliest' and 'latest' in the SPL.

How to eliminate wrong answers

Option B is wrong because the user explicitly states data is being indexed, so this is not the cause. Option C is wrong because restricting to index=_internal would still return events from that index, not zero results, and the user did not mention any index restriction. Option D is wrong because a typo in the time modifier (e.g., 'earliest=-30m' vs 'earliest=-30min') would not cause zero results; Splunk would either ignore the invalid modifier or default to the time range picker setting, which is the actual issue.

157
MCQmedium

A Splunk admin wants to ensure that data models are built efficiently and do not consume excessive resources. Which of the following is a best practice when creating data models?

A.Add tags to every field in the data model for better discoverability.
B.Define constraints carefully to include only relevant events for each object.
C.Convert all fields to calculated fields to normalize the data model.
D.Use a single root event with no child objects to simplify the data model.
AnswerB

Constraints ensure acceleration works on a focused dataset.

Why this answer

Option A is correct because using constraints to limit the events included in each object improves acceleration performance and reduces resource usage. Option B is incorrect because converting all fields to calculated fields adds overhead. Option C is incorrect because using the root event for all data reduces organization.

Option D is incorrect because tagging all fields slows down search.

158
Multi-Selecthard

Which three of the following are best practices for creating efficient dashboards? (Choose three.)

Select 3 answers
A.Use summary indexing to pre-aggregate data
B.Use base searches to avoid duplicating search logic
C.Use tokens to pass user input between panels
D.Use real-time searches to ensure data is current
E.Use the | map command to iterate over large result sets
AnswersA, B, C

Summary indexing reduces the amount of data each panel must scan.

Why this answer

Option A is correct because summary indexing pre-aggregates data at search time and stores the results in a summary index, which can then be searched much faster than the raw data. This drastically reduces the amount of data that must be scanned when rendering dashboard panels, especially for large datasets or long time ranges, improving dashboard load performance.

Exam trap

Splunk often tests the misconception that real-time searches are ideal for dashboards because they show the latest data, but the trap is that real-time searches are resource-intensive and not designed for repeated or shared dashboard use, whereas summary indexing provides efficient, pre-computed data for dashboards.

159
MCQeasy

Which of the following best describes the purpose of the 'fields' command in a search?

A.To keep or remove specified fields from events
B.To rename existing fields
C.To add fields from a lookup table
D.To extract new fields from raw data
AnswerA

fields command includes or excludes fields.

Why this answer

The 'fields' command in Splunk is used to either keep (include) or remove (exclude) specified fields from search results. By default, all extracted fields are returned, but 'fields' allows you to narrow the output to only relevant fields (e.g., `fields clientip, status`) or to drop unwanted fields (e.g., `fields - _raw`). This improves readability and performance by reducing the data volume passed to subsequent commands.

Exam trap

The trap here is that candidates often confuse 'fields' with 'rex' or 'extract' for field creation, or with 'lookup' for field enrichment, because all involve manipulating fields but serve fundamentally different purposes.

How to eliminate wrong answers

Option B is wrong because renaming fields is done with the 'rename' command, not 'fields'. Option C is wrong because adding fields from a lookup table is accomplished using the 'lookup' command (or 'inputlookup'), not 'fields'. Option D is wrong because extracting new fields from raw data is performed by the 'rex' command (using regular expressions) or by using the 'extract' command (for delimited extractions), not by 'fields'.

160
MCQeasy

A security analyst wants to accelerate a frequently run search that uses the `Authentication` data model. Which best practice should they follow to ensure the acceleration consumes minimal disk space?

A.Use data model acceleration with summarization enabled.
B.Set the acceleration summary range to include all historical data.
C.Disable acceleration and rely on raw search.
D.Create a separate index for the data model events.
AnswerA

Summarization stores only aggregated results, minimizing disk usage.

Why this answer

Option A is correct because data model acceleration with summarization enabled pre-computes and stores aggregated results for the `Authentication` data model, which reduces the disk space required compared to storing raw events. Summarization creates compact, time-based buckets of statistical data rather than full event copies, minimizing storage overhead while still accelerating frequently run searches.

Exam trap

Splunk often tests the misconception that acceleration requires storing all historical data (Option B) or that creating separate indexes (Option D) reduces disk space, when in fact summarization with a limited range is the key to minimizing storage.

How to eliminate wrong answers

Option B is wrong because setting the acceleration summary range to include all historical data would force the system to process and store summaries for the entire dataset, consuming excessive disk space rather than minimizing it. Option C is wrong because disabling acceleration and relying on raw search would eliminate any pre-computed summaries, forcing the search to scan all raw events each time, which increases disk I/O and runtime without saving space. Option D is wrong because creating a separate index for the data model events would duplicate the data, increasing disk space usage, and does not inherently accelerate searches or reduce storage.

161
MCQeasy

Which of the following is a default field that is automatically extracted by Splunk?

A.`department`
B.`error_code`
C.`user_id`
D.`host`
AnswerD

Default field.

Why this answer

The `host` field is a default field that Splunk automatically extracts from every event, typically derived from the hostname of the machine that generated the data. It is one of the three default fields (along with `source` and `sourcetype`) that Splunk uses to categorize and search events, and it is always available without any custom field extraction or configuration.

Exam trap

Splunk often tests the misconception that custom fields like `user_id` or `error_code` are automatically extracted, when in fact only the three metadata fields (`host`, `source`, `sourcetype`) are guaranteed to be present in every event without additional configuration.

How to eliminate wrong answers

Option A is wrong because `department` is not a default field; it is a custom field that would require explicit extraction via field extractions, lookups, or data preprocessing. Option B is wrong because `error_code` is not automatically extracted by Splunk; it is a field that must be defined through key-value extraction, regex, or structured data parsing. Option C is wrong because `user_id` is not a default field; it is typically extracted from application logs or authentication events and requires custom configuration or schema definition.

162
MCQhard

An analyst wants to find events where the field 'user' is not present. Which search correctly identifies such events?

A.user=null
B.-user
C.NOT isnotnull(user)
D.user=""
AnswerC

isnotnull returns true if the field exists; NOT isnotnull finds events without the field.

Why this answer

Option C is correct because the `NOT isnotnull(user)` search uses the `isnotnull()` function to check if the `user` field exists and is not null, then negates it with `NOT` to return only events where the `user` field is absent or null. In Splunk, fields that are not present in an event are considered null, so this combination accurately identifies events lacking the field.

Exam trap

Splunk often tests the misconception that `user=""` or `user=null` can detect missing fields, when in fact they only match fields with empty or literal null values, not absent fields.

How to eliminate wrong answers

Option A is wrong because `user=null` does not match events where the `user` field is missing; it searches for events where the `user` field exists and has the literal string value 'null', which is not the same as a missing field. Option B is wrong because `-user` is an invalid syntax in Splunk; the negation operator `-` is used before a search term (e.g., `-error`) to exclude events containing that term, but it cannot be applied to a field name alone to test for field absence. Option D is wrong because `user=""` matches events where the `user` field exists but has an empty string value, not events where the field is entirely absent.

163
MCQmedium

A data model has been accelerated but some Pivot reports are showing incomplete data. What is the most likely cause?

A.The acceleration summary range does not cover the full time range of the report.
B.The data model has too many fields.
C.The data model is not normalized.
D.The search time field extractions are conflicting.
AnswerA

Acceleration only summarizes data within its configured time range.

Why this answer

Option B is correct because the acceleration summary range may not cover the full time range of the report, leading to incomplete data. Option A is wrong because normalization is not related. Option C is wrong because too many fields do not cause incomplete data.

Option D is wrong because conflicting field extractions are not directly related.

164
MCQhard

A team has created a data model based on sourcetypes from different sources. Some fields are not populating correctly in Pivot. Which of the following is the most effective troubleshooting step?

A.Use the `| datamodel <model> search` command to preview data and identify missing fields.
B.Rebuild the data model acceleration.
C.Increase the acceleration time range.
D.Check the field extractions in transforms.conf.
AnswerA

This command shows raw data and field values, helping to pinpoint missing fields.

Why this answer

Option C is correct because using the `| datamodel` command allows you to see the raw data and identify missing fields. Option A is wrong because rebuilding acceleration is not a first step. Option B is wrong because field extractions might not be the issue.

Option D is wrong because increasing acceleration time range does not help with field population.

165
MCQhard

A dashboard includes a table showing server errors. The team wants to click a row and drill down to a detailed view of that server's events in a new search. Which configuration is required?

A.Enable row expansion in the table options
B.Add a link to the search in the table using 'Link to external resource'
C.Set the drilldown action to 'Search' in the table's edit panel
D.Use the `drilldown` search command in the underlying search
AnswerC

Configures drilldown to run a new search.

Why this answer

Option C is correct because setting the drilldown action to 'Search' in the table's edit panel configures the dashboard to open a new search when a row is clicked. This uses the selected row's field values (e.g., server name) to populate the new search, enabling a detailed view of that server's events. The drilldown action is a built-in feature of Splunk's Simple XML dashboards, not a search command or external link.

Exam trap

The trap here is that candidates confuse the `drilldown` configuration option in the dashboard editor with a non-existent SPL command, or they assume row expansion or external links can achieve the same interactive navigation, but only the 'Search' drilldown action correctly passes row context to a new Splunk search.

How to eliminate wrong answers

Option A is wrong because row expansion in table options only reveals hidden fields within the same table, it does not trigger a new search or navigate to a different view. Option B is wrong because 'Link to external resource' creates a static URL that opens an external website, not a Splunk search; it cannot dynamically pass row values to a new Splunk search. Option D is wrong because there is no `drilldown` search command in Splunk's Search Processing Language (SPL); drilldown behavior is configured in the dashboard XML or UI, not in the underlying search string.

166
MCQmedium

You are a Splunk analyst for a financial services firm. You need to create a weekly report for management showing the total transaction value and number of transactions per day, broken down by transaction type (credit, debit, transfer). The data is in index=transactions with fields: trans_date, trans_type, amount. The report should be sent via email every Monday morning at 8 AM. You have created a report with the search: `index=transactions | timechart sum(amount) by trans_type`. However, the timechart shows only one series because the trans_type field has multiple values. You need to fix the search so that it correctly separates by trans_type. Additionally, you need to schedule the report. What should you do?

A.Add `| stats sum(amount) by _time, trans_type` before timechart.
B.Use `| eval trans_type=split(trans_type, ",") | mvexpand trans_type | timechart sum(amount) by trans_type`.
C.Use `| chart sum(amount) by trans_type` instead of timechart.
D.Use `| makemv trans_type | timechart sum(amount) by trans_type`.
AnswerB

Handles multivalue fields.

Why this answer

Option B is correct because the trans_type field contains multiple values in a single field (e.g., 'credit,debit,transfer'), so you must first split the values using `split()` and then expand them with `mvexpand` before using `timechart` to correctly separate the series. This ensures each transaction type is treated as an individual event for the aggregation.

Exam trap

Splunk often tests the distinction between `makemv` (which works on space-delimited or newline-delimited multivalue fields) and `split`/`mvexpand` (which handles custom delimiters like commas), leading candidates to incorrectly choose `makemv` for comma-separated data.

How to eliminate wrong answers

Option A is wrong because `stats sum(amount) by _time, trans_type` would produce a table, not a timechart, and would not automatically bin events into time buckets; it also does not handle multivalue fields. Option C is wrong because `chart sum(amount) by trans_type` would create a single summary statistic across all time, losing the per-day breakdown required for the weekly report. Option D is wrong because `makemv` is used to split a multivalue field that is already delimited by spaces or newlines, not commas; it would not correctly parse comma-separated values, and it does not expand the events for timechart.

167
Multi-Selectmedium

Which THREE of the following statements about data model acceleration are true?

Select 3 answers
A.Accelerated data models consume disk space.
B.Accelerated data models cannot be used with the '| tstats' command.
C.Acceleration can be enabled on any data model.
D.The acceleration process can be scheduled to run at specific times.
E.Acceleration builds summarizations over a defined summary range.
AnswersA, C, E

Summaries are stored on disk.

Why this answer

Option A is correct because accelerated data models store pre-computed summary tables on disk, which consume disk space. These summaries are built by the acceleration process and persist until the summary range expires or the data model is re-accelerated.

Exam trap

Splunk often tests the misconception that acceleration can be scheduled like a report or alert, but in reality it is a continuous background process that only allows configuration of the summary range, not a specific run time.

168
MCQhard

You are a Splunk administrator at a large e-commerce company. The operations team has created a real-time dashboard to monitor website performance. The dashboard includes multiple panels: a line chart showing page load times over the last 60 minutes, a single value showing the number of active users, and a table listing the top 10 slowest pages. The dashboard refreshes every 30 seconds. Recently, users have reported that the dashboard is very slow to load and sometimes times out. The underlying searches are not accelerated. The dashboard uses a shared time range picker set to 'Last 60 minutes'. The index for web logs receives about 2 GB of data per hour. The team wants to improve performance without losing real-time capability. Which approach best addresses the problem?

A.Reduce the time range to 'Last 15 minutes' and keep the 30-second refresh.
B.Increase the refresh interval to 5 minutes to reduce search frequency.
C.Implement summary indexing for the searches and run them every 5 minutes.
D.Remove the single value panel to reduce the number of searches.
AnswerA

Less data improves load time, still real-time.

Why this answer

Option A is correct because reducing the time range to 'Last 15 minutes' significantly decreases the volume of data each search must scan, which directly reduces search execution time and dashboard load time. Since the dashboard refreshes every 30 seconds, a shorter time range still provides near-real-time visibility while preventing timeouts. The underlying searches are not accelerated, so limiting the data scanned is the most effective immediate performance improvement.

Exam trap

The trap here is that candidates often choose to increase the refresh interval (Option B) thinking it reduces load, but the real bottleneck is the amount of data scanned per search, not the frequency of searches.

How to eliminate wrong answers

Option B is wrong because increasing the refresh interval to 5 minutes reduces search frequency but does not address the root cause of slow searches scanning 60 minutes of data; the dashboard would still be slow when it does refresh, and it loses real-time capability. Option C is wrong because summary indexing runs searches every 5 minutes, which introduces a 5-minute delay and breaks the real-time requirement; also, summary indexing requires additional storage and maintenance overhead. Option D is wrong because removing a single panel reduces the number of searches but does not address the volume of data scanned per search; the remaining panels would still scan the full 60-minute time range and remain slow.

169
MCQhard

An analyst wants to use a lookup to enrich events only if a condition is met, e.g., only for events where `status=error`. Which search pattern is most efficient?

A.`index=main | lookup error_codes.csv code description | where status="error"`
B.`index=main | lookup error_codes.csv code description if(status="error")`
C.`index=main | where status="error" | lookup error_codes.csv code description`
D.`index=main | inputlookup error_codes.csv | where status="error"`
AnswerC

Filtering first reduces the events that need lookup, improving performance.

Why this answer

Option C is correct because it filters events with `where status="error"` before the `lookup` command, reducing the dataset that the lookup must process. This minimizes resource usage and improves search performance, as the lookup only runs against the relevant subset of events. In Splunk, placing filters early in the pipeline is a best practice for efficiency.

Exam trap

Splunk often tests the misconception that `inputlookup` can be used to enrich events, but it actually replaces the event stream with lookup contents, making it a common trap for candidates who confuse it with the `lookup` command.

How to eliminate wrong answers

Option A is wrong because it runs the lookup on all events and then filters with `where status="error"`, wasting resources on events that will be discarded. Option B is wrong because the `if()` function is not a valid argument for the `lookup` command; Splunk does not support conditional lookups with that syntax. Option D is wrong because `inputlookup` loads the entire lookup file as events, ignoring the original index data and failing to enrich events with the lookup fields.

170
MCQmedium

A team creates a dashboard that uses a drop-down input to select a server. The dashboard slows down significantly when the input changes. What is the most likely cause?

A.The input is based on a report that runs every hour
B.The input's search is not using a summary index or accelerated data
C.The token name is too long
D.The input's results are cached too aggressively
AnswerB

Unaccelerated search over large data causes slowness.

Why this answer

Option B is correct because a drop-down input that triggers a search each time the user selects a new value can cause significant performance degradation if the underlying search is not optimized. Using a summary index or accelerated data allows the dashboard to retrieve pre-computed results instead of running a full raw data search on every selection, reducing load on the search head and indexers.

Exam trap

Splunk often tests the misconception that performance issues are caused by token length or caching aggressiveness, when the real culprit is the lack of search optimization through summary indexes or acceleration.

How to eliminate wrong answers

Option A is wrong because a report that runs every hour would not directly cause slowdowns on input changes; the input's search is independent of the report's schedule. Option C is wrong because token name length has no impact on search performance; tokens are simply placeholders for values and do not affect query execution time. Option D is wrong because caching results aggressively would actually improve performance, not slow it down; the issue is likely that results are not being cached or accelerated.

171
MCQeasy

A dashboard includes a single value visualization showing the total number of login failures. The number seems too high. Which common mistake could cause inflated counts?

A.Using `count` instead of `sum` when each event holds multiple failures
B.Using `dedup` before counting
C.Splitting by user without combining
D.Setting a too narrow time range
AnswerA

Count counts events, not values.

Why this answer

Option A is correct because when a single event contains multiple login failures (e.g., a log line like 'Failed logins: 5'), using `count` merely counts the number of events, not the total failures. The `sum` command is required to aggregate the numeric field representing failures across events, giving the true total. This is a classic pitfall in Splunk where `count` (event count) is confused with `sum` (field value summation).

Exam trap

Splunk often tests the confusion between `count` (event count) and `sum` (field value sum) when a single event can represent multiple occurrences, leading candidates to mistakenly choose `count` as the correct aggregation method.

How to eliminate wrong answers

Option B is wrong because `dedup` removes duplicate events, which would actually decrease the count, not inflate it; it is used to eliminate redundancy, not to cause overcounting. Option C is wrong because splitting by user without combining (e.g., using `stats count by user`) would produce per-user counts, not an inflated total—the overall sum would remain accurate if aggregated correctly. Option D is wrong because a too narrow time range would reduce the number of events returned, leading to a lower count, not an inflated one.

172
MCQmedium

A user creates a dashboard with multiple panels. Some panels share the same search. To improve performance, what should the user do?

A.Use post-process searches without a base search
B.Create separate searches for each panel with same query
C.Increase the time range to include more data
D.Define a base search and use post-process for each panel
AnswerD

Eliminates duplicate searches.

Why this answer

Option D is correct because defining a base search and using post-process searches allows the dashboard to run the common search once and then apply different post-processing transformations on the same result set. This reduces the overall search load on the indexers and search head, improving performance by avoiding redundant data retrieval and aggregation for each panel.

Exam trap

Splunk often tests the misconception that post-process searches can function independently without a base search, leading candidates to incorrectly select option A, when in reality post-process searches are dependent on a pre-existing base search result.

How to eliminate wrong answers

Option A is wrong because post-process searches require a base search to operate on; without a base search, there is no initial result set to filter or transform, so the panels would have no data. Option B is wrong because creating separate searches for each panel with the same query duplicates the search workload, increasing resource consumption and degrading performance rather than improving it. Option C is wrong because increasing the time range to include more data would expand the search scope, making the search slower and more resource-intensive, which is counterproductive to improving performance.

173
Multi-Selectmedium

Which of the following are components of the Splunk interface that can be used to refine and focus search results? (Choose all that apply. There are four correct answers.)

Select 4 answers
.Time Range Picker
.Search bar
.Fields sidebar
.Data Summary tab
.Job Inspector
.Search History

Why this answer

The Time Range Picker, Search bar, Fields sidebar, and Search History are all interface components in Splunk that directly allow users to refine and focus search results. The Time Range Picker restricts results to a specific time window, the Search bar is where queries are entered and modified, the Fields sidebar enables selection and filtering of specific fields, and Search History allows reusing or refining past searches. These four tools are integral to iterative search refinement in Splunk's Search & Reporting app.

Exam trap

Splunk often tests the distinction between tools that refine search results (like the Fields sidebar and Search History) versus tools that analyze search performance or explore data structure (like Job Inspector and Data Summary), leading candidates to mistakenly select the latter.

174
MCQhard

An automatic lookup is configured but it is not enriching events. The lookup file is large (100MB) and is updated daily. What setting could improve performance?

A.Set `filter` in transforms.conf
B.Enable `batch_index_lookup = true`
C.Increase `max_matches`
D.Use `| lookup` instead of automatic
AnswerB

Speeds up lookups.

Why this answer

Option B is correct because enabling `batch_index_lookup = true` in transforms.conf allows Splunk to process the entire 100MB lookup file in a single batch operation rather than performing individual lookups for each event. This significantly reduces I/O overhead and improves performance for large, daily-updated lookup files by loading the entire lookup into memory once per batch.

Exam trap

The trap here is that candidates often confuse `batch_index_lookup` with other lookup optimizations like `filter` or `max_matches`, or assume that switching to a search-time `| lookup` command is always faster, when in fact the batch setting directly addresses the performance bottleneck of large automatic lookups.

How to eliminate wrong answers

Option A is wrong because setting `filter` in transforms.conf is used to restrict which events are processed by the lookup, not to improve performance for large files; it reduces the number of events but does not address the core issue of lookup file size or batch processing. Option C is wrong because increasing `max_matches` controls how many matching values are returned per event, not the performance of loading or querying a large lookup file; it can actually degrade performance by returning more results. Option D is wrong because using `| lookup` instead of automatic lookup would still perform individual lookups per event, which is less efficient than batch processing; the performance issue is not about the lookup method but about how the lookup is executed internally.

175
Multi-Selectmedium

A dashboard designer wants to create a drilldown from one chart to another dashboard. Which TWO actions must be configured? (Select two.)

Select 2 answers
A.Add a search command to the chart
B.Set the source chart's drilldown to 'link to search'
C.Enable dashboard permissions
D.Set the target dashboard's token to accept the drilldown value
E.Set the chart's drilldown action to 'link to dashboard'
AnswersD, E

Required to pass the clicked value to the target dashboard.

Why this answer

Options A and B are correct. The chart must have drilldown set to 'link to dashboard' (A), and the target dashboard must accept a token from the drilldown (B). Option C is not required for drilldown.

Option D is incorrect because drilldown is a chart property, not a search command. Option E is incorrect because 'link to search' is a different drilldown type that opens a search.

176
Multi-Selecthard

Which THREE of the following are best practices when designing data models in Splunk?

Select 3 answers
A.Design the data model based on the most common reports to ensure quick results.
B.Enable acceleration only on data models that are used frequently.
C.Include every possible field in the data model to avoid future modifications.
D.Use constraints in root events to limit the dataset to relevant events.
E.Separate different sourcetypes into child objects under a common root event.
AnswersB, D, E

Saves storage and processing resources.

Why this answer

Option B is correct because enabling acceleration on all data models consumes significant disk space and processing overhead. Acceleration should be reserved for data models that are queried frequently to optimize resource usage and query performance. Splunk's acceleration feature pre-computes summaries for the root events and child objects, which is only beneficial when the data model is regularly accessed.

Exam trap

The trap here is that candidates often think including all fields (Option C) is thorough and future-proof, but Splunk best practices emphasize minimalism to avoid performance degradation and high storage costs.

177
MCQhard

A user has a search that produces a chart of error counts by host. They want to add a calculated field 'error_rate' as errors per million events. Which approach is correct?

A.Use eventstats to get total counts, then eval to compute rate, then chart
B.Use chart eval(error_count/total_count) by host
C.Use stats to compute error_rate directly: stats avg(error_rate) by host
D.Use the lookup command to apply a calculated field
AnswerA

eventstats adds aggregate counts to each event.

Why this answer

Option A is correct because it uses `eventstats` to compute the total count of events per host across the entire result set, then `eval` to calculate the error rate as (error_count / total_count) * 1,000,000, and finally `chart` to display the results. This two-step approach ensures the total count is available for each row before the rate calculation, which is necessary because `chart` alone cannot reference a field computed in the same command.

Exam trap

Splunk often tests the distinction between `eventstats` and `stats`, where candidates mistakenly use `stats` to compute a rate in a single step, not realizing that `stats` collapses events and prevents per-row calculations without a separate `eventstats` pass.

How to eliminate wrong answers

Option B is wrong because `chart eval(error_count/total_count) by host` is invalid syntax; `chart` does not support an `eval` function inside its argument, and `total_count` is not defined in the search context. Option C is wrong because `stats avg(error_rate) by host` assumes `error_rate` already exists as a field, but it does not; also, `stats` cannot compute a rate from raw counts without first calculating those counts. Option D is wrong because the `lookup` command is used to enrich events with data from an external lookup table, not to compute calculated fields from existing event data.

178
MCQeasy

A user wants to save a search for later use but not schedule it. Which action should the user take?

A.Click Save As > Report and schedule it.
B.Click Save As > Alert.
C.Click Save As > Dashboard Panel.
D.Click Save As > Search.
AnswerD

This saves the search for later manual execution.

Why this answer

Option D is correct because clicking Save As > Search saves the search string and properties (time range, mode) as a reusable search without any scheduling or alerting. This allows the user to run the search manually later from the 'Searches & Reports' page without it executing on a schedule.

Exam trap

The trap here is that candidates often confuse 'Save As > Search' with 'Save As > Report', assuming a report is the only way to save a search, but a report implies scheduling and is not a simple save for later manual use.

How to eliminate wrong answers

Option A is wrong because saving as a Report and scheduling it would create a report that runs on a schedule, which the user explicitly does not want. Option B is wrong because saving as an Alert creates a triggered action based on search results, which requires scheduling and is not a simple save for later manual use. Option C is wrong because saving as a Dashboard Panel embeds the search into a dashboard, which is not a standalone saved search for later manual execution.

179
MCQmedium

A user needs to create a report showing the average response time per endpoint for the last hour. Which command would produce this result?

A.chart avg(response_time) over endpoint
B.eval avg(response_time)
C.top endpoint
D.stats avg(response_time) by endpoint
AnswerD

stats computes the average of response_time for each endpoint.

Why this answer

Option D is correct because the `stats` command with `avg(response_time) by endpoint` calculates the average response time for each unique endpoint, which directly meets the requirement of showing average response time per endpoint for the last hour. The `stats` command is the standard way to compute aggregate statistics like average over grouped fields in Splunk.

Exam trap

Splunk often tests the distinction between `stats` and `chart` commands, where candidates mistakenly use `chart` with `over` instead of `by`, or confuse `eval` with aggregation functions, leading them to choose incorrect options like A or B.

How to eliminate wrong answers

Option A is wrong because `chart avg(response_time) over endpoint` uses incorrect syntax; the `chart` command requires `by` instead of `over` to group results, and this would cause a parsing error. Option B is wrong because `eval avg(response_time)` does not compute an aggregate average; `eval` is used for per-event calculations and field assignments, not for statistical aggregation across events. Option C is wrong because `top endpoint` only shows the most frequent endpoints based on count, not the average response time per endpoint.

180
MCQmedium

A security analyst runs a search for failed logins and wants to display the source IP address, username, and count of failures. However, the field 'src_ip' is not showing in the field picker. Which of the following is the most likely reason?

A.The field has no values in the results.
B.The user does not have permission to view the field.
C.The field is not extracted by default from the data source.
D.The field name contains a typo.
AnswerC

Fields must be explicitly extracted using 'rex' or 'extract' to appear in the field picker if not automatically recognized.

Why this answer

Option C is correct because in Splunk, fields like 'src_ip' are not automatically extracted from raw event data unless the data source has a predefined source type that includes field extraction rules (e.g., via a technology add-on or custom regex). If the field does not appear in the field picker, it typically means the search has not extracted it from the raw events, so the analyst must use commands like `rex` or `extract` to parse it.

Exam trap

The trap here is that candidates often assume a missing field is due to permissions or no values, but Splunk's field picker only shows fields that have been explicitly extracted from the data, not all possible fields in the raw text.

How to eliminate wrong answers

Option A is wrong because if the field had no values, it would still appear in the field picker (with a count of zero) if it were extracted; the absence from the picker indicates it was never extracted. Option B is wrong because permission issues would prevent viewing the field's values or the field itself, but the field would still be listed in the field picker if it existed in the data; Splunk's role-based access controls do not hide field names from the picker. Option D is wrong because a typo in the field name would cause the search to not reference it correctly, but the field 'src_ip' would still appear in the field picker if it were extracted from the data; the issue is that it was never extracted.

181
Matchingmedium

Match each index type to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Default index for all data unless otherwise specified

Stores pre-computed results for faster searches

Optimized for numeric metric data

Stores data model acceleration data

Why these pairings

Indexes organize data for efficient searching.

182
MCQeasy

An administrator needs to share a report with executives who prefer to see data in a tabular format with sorting capabilities. Which reporting method is best?

A.Dashboard panel
B.Gauges
C.Table
D.Pie chart
AnswerC

Tables display data in rows and columns with sorting.

Why this answer

Option C is correct because a Table visualization in Splunk provides a tabular format with built-in sorting capabilities (clickable column headers), which directly meets the executives' requirement for viewing data in a structured, sortable table. Unlike other visualizations, the Table report type preserves raw event data in rows and columns, allowing users to reorder results by any field without additional configuration.

Exam trap

The trap here is that candidates may confuse a Dashboard panel (which can contain a table) with the Table reporting method itself, or assume that a Pie chart or Gauge can be configured to display tabular data, when in fact only the Table visualization provides row-level sorting and a grid layout.

How to eliminate wrong answers

Option A is wrong because a Dashboard panel is a container for visualizations, not a specific reporting method; it can host tables, charts, or gauges, but does not inherently provide a tabular format with sorting. Option B is wrong because Gauges display a single metric value (e.g., a number on a dial or radial scale) and lack both tabular structure and row-level sorting capabilities. Option D is wrong because a Pie chart is a categorical visualization that shows proportional slices of a whole, with no support for tabular data or sorting by multiple fields.

183
Multi-Selecteasy

A user wants to view the contents of a lookup table file named `users.csv` that is stored in Splunk. Which two commands can be used? (Choose two.)

Select 2 answers
A.`| inputlookup users.csv`
B.`| inputlookup users` (assuming lookup name is users)
C.`| fields users.csv`
D.`| outputlookup users.csv`
E.`| lookup users.csv`
AnswersA, B

Reads the lookup.

Why this answer

Option A is correct because `| inputlookup users.csv` reads the contents of a static lookup table file named `users.csv` directly from Splunk's lookups directory. Option B is correct because `| inputlookup users` references the lookup by its defined name in transforms.conf, which maps to the file `users.csv`; this is the standard way to access a lookup that has been configured as a lookup definition.

Exam trap

The trap here is that candidates confuse `inputlookup` (which reads and displays lookup contents) with `lookup` (which enriches search results) or `outputlookup` (which writes data), and they forget that the lookup name in `inputlookup` can omit the file extension if a lookup definition exists.

184
MCQmedium

An analyst runs the search `index=web | stats count by status | sort - count` and wants to show only status codes with count greater than 100. Which command should be added before the sort?

A.eval count>100
B.search count>100
C.where count>100
D.filter count>100
AnswerC

where filters the stats results.

Why this answer

Option C is correct because the `where` command is used to filter results based on a condition after statistical aggregation. In this search, `stats count by status` creates a field called `count`, and `where count>100` filters the results to show only status codes with a count greater than 100. The `where` command operates on the results of the `stats` command, making it the appropriate choice for post-aggregation filtering.

Exam trap

Splunk often tests the distinction between `search` (pre-aggregation filtering) and `where` (post-aggregation filtering), and candidates mistakenly use `search` to filter computed fields like `count` from `stats`, not realizing that `search` operates on raw events before transformation.

How to eliminate wrong answers

Option A is wrong because `eval count>100` would create a new field named `count` with a boolean value (true/false) rather than filtering the results, and it would overwrite the existing `count` field from the `stats` command. Option B is wrong because `search count>100` would attempt to filter events before the `stats` command, but `count` is not a field in the raw events; it is a computed field created by `stats`, so the search would return no results or an error. Option D is wrong because `filter` is not a valid Splunk command; Splunk uses `where` for conditional filtering, not `filter`.

185
MCQmedium

Refer to the exhibit. The search is not returning the `app_name` field as expected. The lookup has many entries with wildcard patterns. What is the most likely issue?

A.The lookup definition uses WILDCARD match type, which is incompatible with the lookup command.
B.The lookup command uses OUTPUTNEW, but the event already has an app_name field (possibly null) so the lookup does not overwrite it.
C.The eval statement should not rename src_ip; the lookup should directly use src_ip.
D.The lookup command needs the option max_matches=1 to work with wildcards.
AnswerB

OUTPUTNEW only adds the field if it doesn't exist; if it exists empty, it remains empty.

Why this answer

Option B is correct because the `OUTPUTNEW` clause in the `lookup` command only writes the field if it does not already exist in the event. If the event already contains an `app_name` field (even with a null value), the lookup will not overwrite it, so the expected value from the wildcard lookup is not returned. This is a common pitfall when using lookups with fields that may already be present in the data.

Exam trap

Splunk often tests the subtle difference between `OUTPUT` and `OUTPUTNEW` in lookups, and the trap here is that candidates assume `OUTPUTNEW` will always populate a field, not realizing it refuses to overwrite an existing field even if that field is null or empty.

How to eliminate wrong answers

Option A is wrong because the `WILDCARD` match type is fully compatible with the `lookup` command; it is designed to match patterns like `*` in lookup tables. Option C is wrong because renaming `src_ip` via `eval` is a valid approach to align field names with the lookup key, and the lookup can directly use the renamed field. Option D is wrong because `max_matches=1` controls how many results to return per input, but it does not affect the fundamental issue of `OUTPUTNEW` preventing overwrite of an existing field.

186
Drag & Dropmedium

Drag and drop the steps to create a Splunk dashboard with a single panel into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Dashboards are built by saving search results as panels and organizing them.

187
Matchingmedium

Match each lookup type to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stores lookup data in a CSV file

Stores lookup data in a key-value store collection

Runs an external script to perform lookup

Matches coordinates to geographic regions

Why these pairings

Lookups enrich events with external data.

188
MCQhard

A user wants to create a Pivot report that counts failed login attempts by user and hour. Which data model dataset and fields are most appropriate?

A.Web dataset, fields: user, status, time
B.Network_Traffic dataset, fields: user, dest, action
C.Authentication dataset, fields: user, action, src
D.Authentication dataset, fields: user, action, and use _time for hour
AnswerD

Authentication dataset with action=failure and _time allows counting by user and hour.

Why this answer

Option D is correct because the Authentication dataset is specifically designed to store login-related events, and the 'action' field indicates success or failure. Using 'user' and '_time' (extracted to hour via time bucketing) allows counting failed attempts per user per hour. The other datasets either lack the necessary fields or are not focused on authentication events.

Exam trap

Splunk often tests the distinction between dataset purpose and field relevance, trapping candidates who choose a dataset with a plausible field name (like 'status' in Web) but that isn't designed for authentication events.

How to eliminate wrong answers

Option A is wrong because the Web dataset typically contains HTTP request/response data (e.g., URLs, status codes), not authentication-specific fields like 'action' to denote login success/failure. Option B is wrong because the Network_Traffic dataset focuses on network connections (e.g., source/destination IPs, protocols), not user login attempts, and lacks an 'action' field for failure status. Option C is wrong because although it uses the Authentication dataset, it includes 'src' (source IP) instead of a time-based field for hour aggregation, and fails to leverage '_time' for time bucketing.

189
MCQhard

Refer to the exhibit. The search returns zero results. What is a likely cause?

A.The 'spath' command should use 'output=response.status' to create the field
B.The 'raw_data' field may not contain valid JSON
C.The search should be 'sourcetype=json_logs' first
D.The 'stats' command cannot use 'response.status' because it's not a field
AnswerB

If raw_data is not JSON, spath produces no fields.

Why this answer

The 'spath' command extracts fields from JSON, but if 'raw_data' is not a valid JSON string, extraction fails. Also, 'search' after 'spath' should work, but if 'response.status' is not extracted, no results. The most common issue is that the field 'raw_data' might not exist or the JSON path is incorrect.

190
MCQmedium

A dashboard has a radio button input that selects a sourcetype. The panel uses `index=web sourcetype=$source$`. However, when the user selects a sourcetype, the panel doesn't update. What is the most likely cause?

A.The token name in the search is `$source$` but the input token is named `sourcetype`.
B.The search includes a `stats` command that ignores the token.
C.The panel is a single value panel that does not update dynamically.
D.The time range is too short and returns no events.
AnswerA

Token names must match between input and search reference.

Why this answer

The dashboard panel does not update because the token referenced in the search string (`$source$`) does not match the name of the radio button input. In Splunk, a dashboard input creates a token with the name specified in its `token` attribute. If the input's token is named `sourcetype`, the search must use `$sourcetype$` to reference its value.

Using `$source$` means the search looks for a token that does not exist, so no substitution occurs and the panel remains static.

Exam trap

Splunk often tests the exact token naming mismatch between the input's `token` attribute and the `$token_name$` used in the search, tricking candidates into blaming panel types or search commands instead.

How to eliminate wrong answers

Option B is wrong because the `stats` command does not ignore tokens; tokens are resolved at search parse time, before any commands execute, so a `stats` command would still receive the substituted value. Option C is wrong because single value panels do update dynamically when their underlying search changes; the panel type does not prevent token-driven updates. Option D is wrong because the time range being too short would simply return no results, but the panel would still attempt to run the search and update (showing 'No results'), not remain unchanged.

191
MCQhard

When using an automatic lookup in props.conf, which setting controls the order in which multiple automatic lookups apply to the same sourcetype?

A.The order in which they are listed in transforms.conf
B.The numeric suffix after LOOKUP- in props.conf
C.The `batch_index_query` setting
D.The `priority` field in the lookup definition
AnswerB

Rules with lower numeric suffix applied first.

Why this answer

In Splunk, when multiple automatic lookups are defined for the same sourcetype in props.conf, the order of execution is determined by the numeric suffix appended to the LOOKUP- stanza (e.g., LOOKUP-1, LOOKUP-2). Splunk processes these lookups in ascending numeric order, ensuring a predictable sequence. This allows administrators to chain lookups where the output of one lookup can feed into the next.

Exam trap

Splunk often tests the misconception that the order of stanzas in props.conf or the listing order in transforms.conf determines lookup execution order, when in fact it is strictly the numeric suffix after LOOKUP- that controls the sequence.

How to eliminate wrong answers

Option A is wrong because the order in which lookups are listed in transforms.conf does not control execution order; transforms.conf only defines the lookup table structure and fields, not the sequence of application. Option C is wrong because `batch_index_query` is a setting used in transforms.conf to control whether a lookup is performed as a batch query against the index, not a mechanism for ordering multiple lookups. Option D is wrong because there is no `priority` field in the lookup definition; Splunk does not support a priority attribute for ordering lookups—the numeric suffix in props.conf is the sole ordering mechanism.

192
MCQmedium

A user wants to create a field that contains the length of the 'message' field. Which command should they use?

A.rex field=message "(?<msg_length>.*)"
B.eval msg_length=sizeof(message)
C.len(message)
D.eval msg_length=len(message)
AnswerD

Correct way to compute length.

Why this answer

Option D is correct because the `eval` command in Splunk is used to create or modify fields, and the `len()` function returns the character length of a string field. The syntax `eval msg_length=len(message)` creates a new field named `msg_length` containing the length of the `message` field.

Exam trap

Splunk often tests the distinction between functions that must be used within `eval` versus standalone commands, and candidates mistakenly treat `len()` as a standalone command like `rex` or `stats`.

How to eliminate wrong answers

Option A is wrong because `rex` is used for regular expression extraction, not for calculating string length; the regex `(?<msg_length>.*)` would capture the entire message content into a field named `msg_length`, not its length. Option B is wrong because `sizeof()` is not a valid Splunk function; it is a C/C++ operator and would cause an error in Splunk. Option C is wrong because `len(message)` is not a standalone command; it must be used within an `eval` expression to assign the result to a field.

193
Matchingmedium

Match each knowledge object to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Define how to extract fields from raw data

A search that is persisted and can be scheduled

Saved search with visualization or statistics

Saved search that triggers actions on conditions

Collection of panels with saved searches or reports

Why these pairings

These are core knowledge objects in Splunk.

194
MCQhard

A Splunk administrator needs to create a dashboard that displays a summary of sales data from multiple regions. Each region's data is in a separate index. The dashboard should allow users to select a region from a dropdown and see the sales data for that region. Which type of dashboard input should be used?

A.A text input field where users type the region name
B.A radio button group with predefined regions
C.A dropdown input that populates from a search returning the list of regions
D.A checkbox list with multiple regions
AnswerC

Dynamic, user-friendly, and scalable, allowing single selection from a list.

Why this answer

Option C is correct because a dropdown input that populates from a search dynamically retrieves the list of region names from the data, ensuring the dashboard always reflects the actual indices available. This approach is scalable and reduces manual maintenance, as the dropdown options are generated by a Splunk search (e.g., `| eventcount summarize=false index=* | dedup index | table index`), making it ideal for a multi-index scenario where regions may change over time.

Exam trap

The trap here is that candidates may choose a static input (like a radio button or text field) because they overlook the need for dynamic data-driven options, or they may select a checkbox list thinking it allows single selection, but Splunk's checkbox input inherently permits multiple selections unless explicitly constrained by JavaScript or custom logic.

How to eliminate wrong answers

Option A is wrong because a text input field requires users to manually type the exact region name, which is error-prone and inefficient; it also lacks validation against the actual index names, potentially leading to failed searches. Option B is wrong because a radio button group with predefined regions is static and cannot adapt to changes in the data or indices; it would require manual updates to the dashboard whenever a region is added or removed. Option D is wrong because a checkbox list allows multiple selections, which contradicts the requirement for a single region selection; it would also need to be populated statically or via a search, but the multi-select behavior is not appropriate for a summary view of one region at a time.

195
MCQmedium

A search returns 1,000 events. The analyst wants to see the first 10 events sorted by the '_time' field in descending order. Which search is correct?

A.| sort by _time | head 10
B.| sort -_time | head 10
C.| sort +_time | head 10
D.| sort _time | head 10
AnswerB

Sorts descending, gives newest 10.

Why this answer

Option B is correct because the `sort` command with a hyphen prefix (`-`) sorts in descending order. By default, `sort` sorts in ascending order, so `sort -_time` sorts events by the `_time` field from newest to oldest, and `head 10` returns the first 10 events, which are the 10 most recent.

Exam trap

Splunk often tests the specific syntax of the `sort` command, where candidates mistakenly think `sort by` is valid (like SQL) or that a plus sign (`+`) indicates descending order, when in fact only a hyphen (`-`) works for descending and no prefix means ascending.

How to eliminate wrong answers

Option A is wrong because `sort by _time` is invalid syntax; the correct syntax is `sort _time` (without 'by'), and it defaults to ascending order, which would return the oldest events first. Option C is wrong because `sort +_time` uses a plus sign, which is not a valid prefix in Splunk; the correct prefix for descending order is a hyphen (`-`), and the plus sign is ignored or causes an error. Option D is wrong because `sort _time` sorts in ascending order by default, returning the oldest events first instead of the newest.

196
Multi-Selecteasy

Which TWO chart types are best suited for showing the distribution of categorical data?

Select 2 answers
A.Scatter chart
B.Line chart
C.Area chart
D.Pie chart
E.Column chart
AnswersD, E

Good for categorical distribution.

Why this answer

Pie charts and column charts are both effective for displaying the distribution of categorical data because they visually compare parts of a whole or the frequency of distinct categories. In Splunk, the `pie` and `column` chart types are commonly used with the `chart` or `timechart` commands to aggregate event counts or statistical values by a categorical field, making it easy to see relative proportions or rankings.

Exam trap

Splunk often tests the misconception that line charts are suitable for any data with a time field, but they are only appropriate when the x-axis represents a continuous time series, not categorical labels.

197
MCQhard

A dashboard developer wants to add a table that only shows the top 5 values of a field. Which dashboard editor component should they use?

A.Radio button input
B.Dropdown input
C.Single Value visualization
D.Filter input
AnswerD

Filter can be set to display top 5 results from a search.

Why this answer

Option B is correct because a Filter is used for top-N queries. Option A is wrong because a Radio button is for selecting one value from predefined options. Option C is wrong because a Dropdown is similar to radio but with multiple selections.

Option D is wrong because a Single Value is for displaying a single metric.

198
Multi-Selectmedium

A security analyst wants to enrich authentication logs with a lookup table containing user department and manager information. Which TWO statements are true about using lookups in Splunk?

Select 2 answers
A.Once a lookup is defined, it cannot be updated.
B.The inputlookup command can be used to load a lookup file into a search.
C.Lookups can only be created from CSV files.
D.Lookups can only match on a single field.
E.Automatic lookups can be configured in props.conf and transforms.conf.
AnswersB, E

inputlookup loads the lookup table into the search results.

Why this answer

Option B is correct because the `inputlookup` command loads the contents of a static lookup file (e.g., CSV, KV store) directly into a search pipeline as events, allowing the analyst to inspect or further process the lookup data. This is a standard Splunk SPL command used for ad-hoc enrichment without requiring a defined lookup definition.

Exam trap

The trap here is that candidates confuse `inputlookup` (which loads the lookup table as events) with the `lookup` command (which enriches existing events), leading them to incorrectly dismiss Option B as incorrect.

199
Multi-Selecteasy

Which TWO options are valid methods to add a visualization to a dashboard?

Select 2 answers
A.Save a search as a dashboard panel
B.Use the Dashboard Studio editor
C.Drag a chart from the search page
D.Append the chart command to the search
E.Use the export to PDF feature
AnswersA, B

When saving a search, you can choose to add it to a dashboard as a panel.

Why this answer

Option A is correct because saving a search as a dashboard panel directly creates a visualization on a dashboard. When you run a search that produces a chart or table, the 'Save As' menu includes an option to save it as a dashboard panel, which automatically adds the visualization to an existing or new dashboard.

Exam trap

Splunk often tests the distinction between methods that add visualizations to dashboards versus methods that export or transform data, so candidates may confuse the 'chart' command or export features with dashboard creation methods.

200
MCQeasy

Which visualization type is best suited to show the proportion of errors by category (e.g., HTTP 404, 500, 403) as parts of a whole?

A.Single value
B.Column chart
C.Scatter plot
D.Pie chart
AnswerD

Pie charts effectively display parts of a whole.

Why this answer

A pie chart is the correct choice because it is specifically designed to display the proportional distribution of categorical data as parts of a whole. In Splunk, the `pie` visualization type visually represents the relative size of each error category (e.g., HTTP 404, 500, 403) as slices of a circle, making it immediately clear which category accounts for the largest share of errors.

Exam trap

The trap here is that candidates often choose a Column chart (Option B) because they think of comparing error counts, but the question specifically asks for 'parts of a whole' — a pie chart is the only visualization that inherently shows proportional share, not absolute comparison.

How to eliminate wrong answers

Option A is wrong because a Single Value visualization shows only one aggregated number (e.g., total error count) and cannot display multiple categories or their proportions. Option B is wrong because a Column chart is best for comparing values across categories over time or groups, not for showing parts of a whole; it emphasizes magnitude differences rather than proportional share. Option C is wrong because a Scatter plot is used to visualize the relationship between two numerical variables (e.g., error count vs. response time) and is not suitable for showing categorical proportions.

201
MCQmedium

An analyst created a report that runs a search over the last 7 days. The report is scheduled to run daily. Each time the report runs, it takes a long time and impacts other searches. What is the best way to improve performance without changing the data model?

A.Change the schedule to run weekly instead of daily.
B.Change the time range to 'Last 24 hours' to reduce data scanned.
C.Enable report acceleration on the report.
D.Create a summary index and populate it with a separate scheduled search.
AnswerC

Report acceleration pre-computes and caches results, speeding up subsequent runs.

Why this answer

Option C is correct because report acceleration pre-computes and stores the results of a report's search in a summary cache, allowing subsequent runs to retrieve the cached data instead of re-executing the full search over the raw data. This drastically reduces runtime and resource consumption without altering the underlying data model or the report's logic.

Exam trap

The trap here is that candidates often confuse report acceleration with summary indexing (Option D) and assume the latter is the only way to pre-compute results, or they incorrectly think changing the time range (Option B) is a performance fix without realizing it alters the report's data scope.

How to eliminate wrong answers

Option A is wrong because running the report weekly instead of daily only reduces the frequency of the performance impact, but does not address the root cause of the long-running search each time it executes. Option B is wrong because changing the time range to 'Last 24 hours' would alter the report's data scope and potentially break the requirement to analyze the last 7 days, which is a change to the data model's query parameters. Option D is wrong because creating a summary index and populating it with a separate scheduled search is a valid optimization technique, but it requires additional administrative overhead and changes to the data pipeline, whereas report acceleration provides a simpler, built-in solution that directly caches the report's results without manual index management.

202
Multi-Selectmedium

Which two of the following are best practices when designing Splunk data models? (Choose two.)

Select 2 answers
A.Limit the number of fields to no more than 100.
B.Avoid using wildcards in field names.
C.Avoid time-based constraints to ensure all historical data is searchable.
D.Enable acceleration for large datasets.
E.Leave constraints undefined to include all events.
AnswersB, D

Wildcards in field names can cause performance degradation and should be avoided.

Why this answer

Option A is correct because using wildcards in field names can lead to performance issues and should be avoided. Option D is correct because data model acceleration should be enabled for large datasets to improve search performance. Option B is wrong because constraints should be defined to filter out unnecessary events, not omitted.

Option C is wrong because there is no strict limit of 100 fields; the limit is based on performance. Option E is wrong because time-based constraints are essential for efficient data model searches.

203
MCQhard

A SOC manager creates a dashboard with multiple time-range pickers (one global, one per panel). The global picker is set to 'Last 7 days' but one panel uses its own picker set to 'Last 24 hours'. When the dashboard loads, which time range will the panel use?

A.The dashboard default of 'Last 24 hours'
B.A combination of both: the last 7 days but limited to 24 hours
C.The global picker setting of 'Last 7 days'
D.The panel's own picker setting of 'Last 24 hours'
AnswerD

Panel-specific settings take precedence over global.

Why this answer

Option D is correct because a panel-specific time picker overrides the global picker. Option A is wrong because the panel picker is not ignored; it has higher precedence. Option B is wrong because the global picker does not override; the panel picker takes precedence.

Option C is wrong because the panel does not combine both; it uses its own.

204
Multi-Selecteasy

Which TWO of the following are best practices when creating a data model in Splunk? (Choose two.)

Select 2 answers
A.Test the data model on a sample of data before deploying widely.
B.Add many calculated fields to reduce the need for extra searches.
C.Only create data models after a search is written to confirm the need.
D.Use descriptive names for root events and fields.
E.Include as many constraints as possible to filter events.
AnswersA, D

Testing ensures the data model works as expected.

Why this answer

Option A is correct because testing a data model on a sample of data before deploying widely validates that the root events, fields, and constraints produce accurate and expected results. This practice prevents performance degradation and incorrect reporting in production by catching issues like missing fields or overly broad constraints early, aligning with Splunk's recommended iterative development approach.

Exam trap

The trap here is that candidates often confuse 'calculated fields' as always beneficial for reducing search complexity, but Splunk explicitly warns that excessive calculated fields can harm performance and are not a best practice for data model design.

205
MCQmedium

An analyst has multiple Splunk apps installed and wants to ensure a search runs against data from a specific app's index. Which action should they take?

A.Type the app name in the search bar before the search string.
B.Select the specific app from the app dropdown in the menu bar.
C.Adjust the time range picker to focus on the app's data time.
D.Select 'All apps' in the app dropdown to include all data.
AnswerB

The app dropdown sets the context for searches and knowledge objects.

Why this answer

Option C is correct because setting the app context in the app dropdown filters the available data and knowledge objects. Option A is wrong because the search bar doesn't set app context. Option B is wrong because 'All apps' shows all data, not restricting.

Option D is wrong because the time range doesn't affect app context.

206
Multi-Selectmedium

Which TWO commands can be used to filter events based on a field value? (Choose two.)

Select 2 answers
A.eval
B.search
C.stats
D.where
E.table
AnswersB, D

The search command can filter events.

Why this answer

The `search` command is the primary way to filter events in Splunk, and it can be used to filter based on field values using syntax like `field=value`. The `where` command evaluates Boolean expressions and is specifically designed to filter results based on field values, supporting comparisons, wildcards, and functions. Both commands directly filter events by evaluating field values.

Exam trap

Splunk often tests the distinction between commands that transform data (like `eval` and `stats`) versus commands that filter events (like `search` and `where`), and the trap here is that candidates mistakenly think `eval` filters because it can conditionally assign values, but it never removes events from the result set.

207
Multi-Selecthard

Which THREE of the following are valid considerations when scheduling a report for PDF delivery via email? (Choose three.)

Select 3 answers
A.The report can be sent as a PDF attachment or as a link to the report in Splunk.
B.The report can include HTML-embedded CSV data directly in the email body.
C.The email server must be configured to allow inbound SMTP from Splunk.
D.If the report contains sensitive data, the PDF may still contain the data even if the user cannot access the report due to app-level permissions.
E.The recipient must have at least read permissions on the report to view it in Splunk.
AnswersA, D, E

Both delivery options are available.

Why this answer

Option A is correct because when scheduling a report for PDF delivery via email, Splunk allows you to choose between sending the report as a PDF attachment or as a link to the report within Splunk. This is a configurable option in the schedule's email settings, providing flexibility for recipients who may prefer direct access to the live report in Splunk versus a static PDF file.

Exam trap

The trap here is that candidates often confuse the direction of SMTP traffic (inbound vs. outbound) and assume Splunk needs to receive email, when in fact Splunk only sends email via outbound SMTP.

208
MCQmedium

A security analyst needs to create a data model for authentication logs that allows both event counts and average duration calculations. The data model should support fast search performance. Which approach best follows Splunk best practices for data model design?

A.Define root events as event types and add child transactions for duration calculations.
B.Define the root event as an event type with calculated fields for duration.
C.Define the root event as a transaction type to include duration inherently.
D.Create separate data models for counts and durations.
AnswerA

This approach allows efficient counts from root events and duration calculations from child transactions, following best practices.

Why this answer

Option A is correct because Splunk best practices for data model design recommend using root events as event types for base calculations like counts, and adding child transactions (or child datasets) for calculations that require grouping multiple events, such as average duration. This separation optimizes search performance by allowing the data model to leverage the faster event-based search for counts while using transactions only when necessary for duration calculations.

Exam trap

Splunk often tests the misconception that transactions should be used at the root level for all calculations, but the trap here is that candidates confuse transaction types (which are slow for counts) with event types (which are fast), leading them to choose Option C instead of the correct separation of concerns in Option A.

How to eliminate wrong answers

Option B is wrong because calculated fields on root events cannot compute duration across multiple events; duration requires grouping events (e.g., start and end), which is not possible with single-event calculated fields. Option C is wrong because defining the root event as a transaction type would force every search to use transaction processing, which is resource-intensive and slow for simple counts, violating the requirement for fast search performance. Option D is wrong because creating separate data models for counts and durations duplicates data and increases maintenance overhead, whereas a single data model with root events and child transactions is more efficient and follows Splunk best practices.

209
MCQeasy

A user creates a report that summarizes error codes by frequency. They want to share it with the team so others can view but not edit. Which permission should the user set on the report?

A.The 'edit' permission for the team
B.The 'share' permission for the team
C.The 'write' permission for the team
D.The 'read' permission for the team
AnswerD

Read permission allows viewing without editing.

Why this answer

The 'read' permission (Option D) is correct because it grants view-only access to the report, allowing team members to see the summarized error codes without the ability to modify or delete the report. In Splunk, permissions are managed via roles and object-level access control, where 'read' enables viewing but not editing, which aligns with the user's requirement to share the report for viewing only.

Exam trap

The trap here is that candidates often confuse the 'share' permission with the ability to let others view the report, but 'share' in Splunk refers to the capability to share objects with others, not the permission that controls viewing access on the object itself.

How to eliminate wrong answers

Option A is wrong because the 'edit' permission would allow team members to modify the report, which contradicts the requirement that others can view but not edit. Option B is wrong because 'share' permission is not a standard Splunk object-level permission; sharing is a capability that controls whether a user can share objects, not a permission set on the report itself. Option C is wrong because 'write' permission in Splunk is synonymous with edit access, enabling users to modify or delete the report, which is not desired.

210
MCQeasy

A user wants to rename the field 'src_ip' to 'sourceIP' in all search results without modifying the raw data. Which method should they use?

A.Use the eval command to assign src_ip to a new field sourceIP
B.Add an alias in props.conf
C.Use the fields command: | fields src_ip as sourceIP
D.Use the rename command: | rename src_ip as sourceIP
AnswerD

The rename command renames the field in the search results.

Why this answer

The `rename` command is the correct choice because it changes the field name in the search results without altering the underlying raw data. It operates on the field metadata in the search pipeline, allowing you to display 'sourceIP' instead of 'src_ip' for the duration of the search.

Exam trap

The trap here is that candidates often confuse the `rename` command with the `eval` command for creating aliases, or mistakenly think the `fields` command can rename fields, when in fact `fields` only controls field inclusion/exclusion and has no rename capability.

How to eliminate wrong answers

Option A is wrong because `eval` creates a new field (sourceIP) with the value of src_ip, but leaves the original src_ip field present, resulting in duplicate fields rather than a rename. Option B is wrong because `props.conf` is a configuration file used at index time to define field extractions or aliases for the entire index, not for renaming fields in a single search without modifying raw data. Option C is wrong because the `fields` command is used to include or exclude fields from search results, not to rename them; `| fields src_ip as sourceIP` is invalid syntax and would cause an error.

211
MCQeasy

A junior analyst creates a dashboard to monitor server CPU usage. The dashboard contains a single panel with a line chart showing CPU percentage over the last 24 hours. The analyst then adds a second panel that displays the same data but as a single value showing the average CPU. Both panels use the exact same search string. The dashboard loads slowly, and users complain of wait times. The analyst wants to improve performance without changing the displayed data. Which course of action is best?

A.Keep both panels but add more resources to the Splunk server
B.Convert the dashboard to use a base search and post-process the panels
C.Remove the single value panel and embed its value in the line chart title
D.Enable report acceleration on one of the panels
AnswerB

Base search runs once and both panels use post-process, reducing load.

Why this answer

Option B is correct because using a base search with post-process searches allows both panels to share a single dataset, reducing redundant search execution. Instead of running the same heavy search twice, the base search runs once, and each panel applies lightweight post-processing (e.g., timechart vs. stats) on the cached results. This directly addresses the slow load time without altering the displayed data.

Exam trap

The trap here is that candidates often confuse post-processing with report acceleration or think that removing a panel is the only way to improve performance, but Splunk's base search feature is the designed solution for sharing search results across panels without data loss.

How to eliminate wrong answers

Option A is wrong because adding more resources to the Splunk server does not fix the root cause—duplicate search execution—and is an inefficient, costly workaround. Option C is wrong because embedding the average in the line chart title changes the displayed data (removing the single value panel) and may not meet the requirement to keep the same data presentation. Option D is wrong because report acceleration is designed for scheduled reports or summary indexing, not for real-time dashboard panels; it would not reduce the load time for the current 24-hour search and could introduce stale data.

212
MCQmedium

An admin wants to add a new data input for a network device sending syslog. Under which Settings menu would the admin navigate?

A.Settings > Knowledge
B.Settings > Alerts
C.Settings > Reporting
D.Settings > Data Inputs
AnswerD

Data Inputs lists all available input types (TCP, UDP, scripts, etc.).

Why this answer

Option A is correct because Data Inputs is the dedicated section for configuring inputs. Option B is wrong because Reporting is for reports. Option C is wrong because Alerts is for alerting.

Option D is wrong because Knowledge is for knowledge objects.

213
MCQmedium

An administrator wants to add a lookup table that maps user IDs to department names. The lookup file is a CSV with columns `user_id` and `department`. To use this lookup in searches, what must be configured?

A.Define the lookup as a time-based lookup.
B.Define the lookup table file in the transforms.conf with a search string.
C.Upload the CSV to Splunk and it automatically becomes available.
D.Define a lookup definition in props.conf and transforms.conf.
AnswerD

Standard configuration.

Why this answer

Option D is correct because to use a static CSV lookup in Splunk, you must first upload the file to the lookups directory, then define a lookup stanza in transforms.conf specifying the filename, and finally create a lookup definition in props.conf (or via the UI) to make it available for search commands like `lookup` or `inputlookup`. This two-step configuration ensures Splunk can locate the file and map the fields correctly.

Exam trap

Splunk often tests the misconception that uploading a CSV file alone makes it usable as a lookup, but the trap here is that you must configure both transforms.conf and a lookup definition (props.conf or UI) to register the lookup for search-time use.

How to eliminate wrong answers

Option A is wrong because time-based lookups are used for external data that changes over time (e.g., a database query with a time range), not for static CSV files; a static CSV does not require time-based configuration. Option B is wrong because transforms.conf defines the lookup table file with a filename and optional field mappings, but it does not use a 'search string' — that is a concept for external lookups or KV store lookups, not for static CSV files. Option C is wrong because simply uploading a CSV to Splunk does not automatically make it available as a lookup; you must explicitly define it in transforms.conf and create a lookup definition in props.conf or the Lookups manager.

214
MCQhard

A Splunk admin notices that a lookup is not matching fields correctly. The lookup file has a header row with field names. The search uses `lookup usernames.csv user_id OUTPUT username`. Some events have `user_id` values that exist in the lookup but no match occurs. What is the most likely cause?

A.The lookup file is missing the header row.
B.The lookup file has leading or trailing spaces in the matching column.
C.The lookup is case-sensitive and the search field has different case.
D.The lookup file has quotes around field values that are not stripped.
AnswerB

Spaces cause exact match failures because the search field doesn't have spaces.

Why this answer

Option B is correct because leading or trailing spaces in the lookup file's matching column prevent exact string matching. When Splunk performs a lookup, it compares the field value from the event with the lookup file value using an exact string match. If the lookup file contains spaces (e.g., '123 ' instead of '123'), the values will not match even though the event's `user_id` appears correct.

This is a common data quality issue in CSV files.

Exam trap

The trap here is that candidates often assume lookup failures are due to case sensitivity or missing headers, but Splunk's default case-insensitive matching and automatic quote stripping make whitespace issues the more subtle and likely cause.

How to eliminate wrong answers

Option A is wrong because the lookup file has a header row with field names, as stated in the question, so missing headers is not the cause. Option C is wrong because Splunk lookups are case-insensitive by default for string fields, so case differences would not prevent a match unless explicitly configured otherwise. Option D is wrong because Splunk automatically strips double quotes from CSV field values during ingestion, so quoted values are not a typical cause of lookup mismatches.

215
MCQhard

Refer to the exhibit. A user runs this search in Splunk to create a timechart of web server status codes. The resulting chart shows no data for the "error" status. What is the most likely cause?

A.The 'status' field is not extracted from the sourcetype.
B.The eval command after timechart does not affect the timechart series; the timechart already split by original status values.
C.The stats command after eval removes the status field.
D.The web server is not generating any errors.
AnswerB

Correct. The timechart creates series based on the status field at that point; later eval does not change the series.

Why this answer

The search redefines the 'status' field after the timechart command, but timechart already uses the original status values to create separate series. The eval command overwrites the field, but the timechart series are already fixed. To fix, the eval should be placed before timechart.

216
MCQmedium

A search returns events with a field 'ip' that contains both IPv4 and IPv6 addresses. An analyst wants to count events for each IP type (IPv4 vs IPv6). Which command should be used to create a new field that categorizes the IP type?

A.fields
B.convert
C.eval
D.rex
AnswerC

eval can create a new field with conditional logic.

Why this answer

Option C is correct because the `eval` command can create a new field by evaluating an expression, such as using the `if` function with `like()` or `match()` to test whether the IP address contains a colon (IPv6) or a dot (IPv4). This allows the analyst to categorize each event's IP type into a new field like `ip_type` without altering the original data.

Exam trap

The trap here is that candidates often confuse `rex` with `eval` because both can manipulate fields, but `rex` only extracts existing patterns into new fields, whereas `eval` can create fields based on conditional logic or calculations.

How to eliminate wrong answers

Option A is wrong because the `fields` command only includes or excludes existing fields from search results; it cannot create new fields or evaluate data. Option B is wrong because the `convert` command changes the data type or format of an existing field (e.g., string to number), but it cannot create a new field or perform conditional categorization. Option D is wrong because the `rex` command extracts fields using regular expressions but does not create a new field based on a conditional test; it would require a separate `eval` to assign the category.

217
MCQeasy

A user created a report that runs every hour. They notice the report's results include data from the previous hour only, but they want data from the last 24 hours. What should they change in the search?

A.Increase the report scheduling frequency
B.Add | timechart span=1h
C.Change the time range to Last 24 hours
D.Use | stats count by date_hour
AnswerC

This expands the search window to include 24 hours of data.

Why this answer

Option C is correct because the report's search is currently using a relative time range (e.g., Last hour) that limits results to the previous hour. Changing the time range to 'Last 24 hours' expands the search window to include all events from the past 24 hours, ensuring the report returns the desired data. The scheduling frequency controls when the search runs, not the span of data it retrieves.

Exam trap

The trap here is that candidates confuse scheduling frequency (how often the search runs) with the time range (the window of data the search examines), leading them to incorrectly choose Option A.

How to eliminate wrong answers

Option A is wrong because increasing the scheduling frequency (e.g., running every 30 minutes) does not change the time range of the search; it only makes the report run more often, still returning only the previous hour's data each time. Option B is wrong because | timechart span=1h groups results into 1-hour buckets but does not extend the time range; it would still only show data from the current time range (e.g., last hour) as a single bucket. Option D is wrong because | stats count by date_hour counts events per hour but does not change the search's time range; it would only count events within the existing 1-hour window, not the last 24 hours.

218
MCQhard

A team needs to be notified immediately when a specific error pattern appears in logs. The search for the pattern is already written. Which feature of Splunk should they use to set up automated notifications?

A.Save the search as a report and schedule it.
B.Create an alert based on the search.
C.Add the search to a dashboard panel.
D.Save the search as a saved search only.
AnswerB

Alerts can trigger actions when conditions are met.

Why this answer

Option B is correct because Splunk alerts are specifically designed to trigger automated actions—such as email notifications, webhook calls, or script execution—when a scheduled search returns results that meet defined conditions. Since the team needs immediate notification upon the appearance of a specific error pattern, an alert based on the existing search provides the necessary real-time or scheduled monitoring with automated response.

Exam trap

The trap here is that candidates confuse 'scheduled reports' (which only generate and optionally email a report) with 'alerts' (which evaluate conditions and trigger actions), leading them to pick Option A instead of B.

How to eliminate wrong answers

Option A is wrong because saving a search as a report and scheduling it only generates a report on a schedule; it does not inherently trigger notifications or automated actions when the error pattern appears. Option C is wrong because adding the search to a dashboard panel provides a visual display of results but does not include any mechanism for automated notifications. Option D is wrong because saving the search as a saved search only stores the search definition for reuse; it does not schedule execution or send notifications.

219
MCQmedium

Refer to the exhibit. What does the log entry indicate about the search job?

A.The search job was cancelled by the user.
B.The search job failed due to permission issues.
C.The search job hit the time limit and returned partial results.
D.The search job found no results.
AnswerC

The warning explicitly states 'completed with partial results due to time limit'.

Why this answer

Option C is correct because the log shows 'completed with partial results due to time limit', meaning the search hit the time limit and returned partial results. Option A is wrong because the job completed, it wasn't cancelled. Option B is wrong because the result count is not mentioned.

Option D is wrong because there is no error about permissions.

220
MCQmedium

A large organization's security team has a dashboard that displays the top 10 source IPs by number of failed login attempts. The dashboard uses a search: index=security sourcetype=login action=failure | top limit=10 src_ip. Lately, the dashboard shows incorrect data (e.g., IPs that are not actually top). However, when the same search is run in the Search app, it shows correct results. The dashboard is scheduled to refresh every 10 minutes. What is the most likely cause?

A.The dashboard's time range is different from the manual search
B.The dashboard is using a real-time search that causes data inconsistency
C.The dashboard uses a summary index with stale data
D.The user has incorrect field permissions
AnswerC

Summary indexes may not be as up-to-date, causing stale data in scheduled dashboard refreshes.

Why this answer

Option C is correct because the dashboard is likely configured to use a summary index that is populated by a scheduled search. If the summary index is not updated frequently enough or contains stale data, the dashboard will display incorrect results even though the live search in the Search app returns accurate data. The 10-minute refresh interval does not repopulate the summary index; it only re-queries the already stale summary data.

Exam trap

The trap here is that candidates assume the dashboard refresh interval controls the underlying data freshness, but in reality, the summary index is populated independently by a separate scheduled search, and the dashboard only re-queries the summary index, not the original data.

How to eliminate wrong answers

Option A is wrong because if the dashboard's time range were different, the results would consistently differ from the manual search, not just appear incorrect; the manual search would also show different results if run with the same time range. Option B is wrong because real-time searches would show the most current data, not stale or incorrect data, and the dashboard is scheduled to refresh every 10 minutes, not using a real-time search. Option D is wrong because field permissions would prevent the field from being displayed or cause errors, not show incorrect IP counts; the dashboard is displaying data, just the wrong IPs.

221
MCQeasy

Refer to the exhibit. The user wants to display the count over time for each source. However, the chart shows only one line labeled 'MyCount'. What is the problem?

A.The index name is misspelled.
B.The `timechart` command should not have `by source`.
C.The `rename` command after `timechart` renames incorrectly; `timechart count by source` creates multiple fields, and `rename count as "MyCount"` does not rename them.
D.The chart type is line chart by default.
AnswerC

The `rename` command should use a pattern like `rename * as "*"` or rename each series individually.

Why this answer

Option C is correct because `timechart count by source` generates separate fields for each source value (e.g., `count: source1`, `count: source2`), not a single field named `count`. The subsequent `rename count as "MyCount"` fails to match any existing field, so the chart displays only one line labeled `MyCount` (which is actually a null or default aggregation). To rename all source-specific count fields, you must use a wildcard or rename each field individually.

Exam trap

Splunk often tests the nuance that `timechart count by source` creates multiple fields with names like `count: source_value`, and candidates mistakenly think `rename count as "MyCount"` will rename all of them, leading them to overlook the correct answer.

How to eliminate wrong answers

Option A is wrong because a misspelled index name would return no results at all, not a single line labeled 'MyCount'. Option B is wrong because `timechart count by source` is syntactically valid and necessary to break down counts per source over time; removing `by source` would aggregate all sources into one count, which is not the user's intent. Option D is wrong because the chart type (line chart) is not the issue; the problem is the field naming after `timechart`, not the visualization type.

222
MCQeasy

A junior Splunk user is tasked with investigating slow search performance in a large Splunk environment. The user runs a search over a week of data from the main index (containing 500 GB of data per day) using the following command: `index=main | search error | stats count by host`. The search takes over 10 minutes to complete. The user wants to improve search performance while still getting accurate results. Which of the following actions should the user take first?

A.Use the `transaction` command to group related events before counting.
B.Replace `stats count by host` with `top limit=5 host` to limit output.
C.Add a `summarize` command before `stats` to pre-aggregate data.
D.Rewrite the search as `index=main error | stats count by host`.
AnswerD

Placing `error` directly after the index keyword filters at index time, reducing data volume.

Why this answer

Option D is correct because the original search uses a pipe to the `search` command, which forces Splunk to retrieve all events from the index and then filter them in the search head, causing unnecessary I/O and CPU load. By rewriting the search as `index=main error`, the keyword `error` becomes part of the initial search string, allowing Splunk to use its index-time and search-time optimizations (e.g., inverted index lookups, bloom filters) to retrieve only matching events from disk, dramatically reducing the data scanned and improving performance without altering results.

Exam trap

Splunk often tests the misconception that piping to `search` is equivalent to including the term in the initial search string, but in Splunk, the former forces a full index scan while the latter leverages index-level optimizations.

How to eliminate wrong answers

Option A is wrong because the `transaction` command is designed to group related events into transactions based on common fields or time windows, which adds significant processing overhead and is not a performance optimization—it would make the search slower, not faster. Option B is wrong because while `top limit=5 host` limits the output to the top 5 hosts, it does not reduce the amount of data scanned from the index; the search still retrieves all events over the week, and the `top` command only reduces the final result set, not the initial data volume. Option C is wrong because Splunk does not have a `summarize` command; this is a fictitious command that likely confuses candidates with concepts from other tools like SQL or Azure Data Explorer, and it would not execute in Splunk.

223
Multi-Selectmedium

Which three of the following are best practices when working with Data Models in Splunk? (Choose three.)

Select 3 answers
.Use constraints to limit the events included in a data model to only those relevant to the dataset.
.Regularly rebuild data model acceleration summaries after making changes to the data model.
.Create root-level child fields that are independent of any specific dataset hierarchy to improve search efficiency.
.Design data models with a flat, non-hierarchical structure whenever possible to simplify acceleration.
.Define fields using Eval expressions to derive calculated values from existing raw data.
.Always set acceleration to the maximum time range (e.g., All time) to ensure all data is pre-computed.

Why this answer

Constraints are essential for limiting the events in a data model to only those relevant to the dataset, which improves performance and accuracy. Rebuilding acceleration summaries after changes ensures that the pre-computed data reflects the updated model, preventing stale results. Defining fields using Eval expressions allows you to derive calculated values from raw data, enriching the dataset without modifying the underlying indexed data.

Exam trap

Splunk often tests the misconception that flattening data models or using root-level fields improves performance, when in fact the hierarchical structure is fundamental to Splunk's data model design and acceleration efficiency.

224
MCQmedium

A user wants to create a report that shows the top 5 most frequent error messages from the last 7 days. The search results should be sorted by count. Which search is correct?

A.error | top 5 message
B.error | rare message | head 5
C.error | stats count by message | sort -count
D.error | top limit=5 message
AnswerD

Correctly uses top to get top 5.

Why this answer

Option D is correct because the `top` command automatically counts the occurrences of each distinct value of the `message` field, sorts the results in descending order by count, and limits the output to the top 5 results. This directly fulfills the requirement of showing the top 5 most frequent error messages from the last 7 days, sorted by count.

Exam trap

Splunk often tests the exact syntax of the `top` command, where candidates confuse the order of arguments (e.g., `top 5 message` vs `top message limit=5`) or mistakenly use `rare` or `head` to achieve the opposite result.

How to eliminate wrong answers

Option A is wrong because `top 5 message` is invalid syntax; the `top` command requires the field name first (e.g., `top message limit=5`) and does not accept a numeric argument before the field. Option B is wrong because `rare` returns the least frequent values, not the most frequent, and `head 5` would only return the first 5 results of that reversed order, which is the opposite of what is needed. Option C is wrong because while `stats count by message | sort -count` correctly counts and sorts, it does not limit the results to 5; it returns all error messages, which is not the requested top 5.

225
MCQhard

A large e-commerce company uses Splunk to monitor their web application. The operations team has noticed that the search for tracking user sessions is taking too long and consuming excessive resources. The current search is: index=web sourcetype=access_combined | stats count by clientip, sessionid, productid | sort - count The index contains over 10 billion events per day. The team wants to reduce the search time while still being able to identify the top 10 most active sessions (combinations of clientip and sessionid) that involve more than 5 product views. They also need to exclude any sessions that originated from internal IPs (10.0.0.0/8). Which approach would achieve this most efficiently?

A.Use 'eventstats count by clientip, sessionid' and then filter where count > 5, then sort and head.
B.Use the 'transaction' command to group events by clientip and sessionid, then filter by duration.
C.Add a 'where' command after stats to filter out internal IPs and use 'head 10' at the end.
D.Add 'clientip!=10.0.0.0/8' in the base search, then use 'stats count by clientip, sessionid', then 'where count>5', then 'sort - count | head 10'.
AnswerD

Filters early, uses efficient stats, then filters and sorts on reduced data.

Why this answer

Option D is correct because it filters out internal IPs early in the base search using `clientip!=10.0.0.0/8`, which reduces the dataset before any transformation. It then uses `stats count by clientip, sessionid` to aggregate sessions, applies `where count>5` to enforce the minimum product views, and finally sorts and limits to the top 10. This approach minimizes resource consumption by pushing filtering as early as possible and avoids unnecessary fields like `productid`.

Exam trap

The trap here is that candidates often choose Option C because they think filtering after `stats` is acceptable, but they miss that early filtering in the base search is critical for performance, and they also overlook the requirement to exclude sessions with 5 or fewer product views.

How to eliminate wrong answers

Option A is wrong because `eventstats` computes statistics without reducing the number of events, so it still processes all 10 billion events and does not filter out internal IPs, leading to high resource usage. Option B is wrong because the `transaction` command is resource-intensive and designed for grouping events based on time or session boundaries, but here the session is already identified by `clientip` and `sessionid` fields; using `transaction` would be slower and less efficient than `stats`. Option C is wrong because adding `where` after `stats` to filter internal IPs means the `stats` command still processes all events including internal IPs, wasting resources; also, it does not filter for sessions with more than 5 product views.

Page 2

Page 3 of 7

Page 4

All pages