Splunk Core Certified User SPLK-1002 (SPLK-1002) — Questions 301375

510 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQhard

A search returns events with a field 'duration' in milliseconds. The analyst wants to create a new field 'duration_sec' that divides duration by 1000. Which command accomplishes this?

A.| rename duration as duration_sec
B.| convert duration_sec = duration/1000
C.| eval duration_sec = duration / 1000
D.| fields duration_sec = duration/1000
AnswerC

eval creates new field with arithmetic.

Why this answer

Option C is correct because the `eval` command in Splunk is specifically designed to create new fields by evaluating expressions, including arithmetic operations. Using `| eval duration_sec = duration / 1000` creates a new field `duration_sec` that contains the value of `duration` divided by 1000, converting milliseconds to seconds.

Exam trap

Splunk often tests the distinction between `eval` (for calculations and new field creation) and `convert` (for data type conversion), leading candidates to mistakenly choose `convert` for arithmetic operations.

How to eliminate wrong answers

Option A is wrong because `rename` only changes the name of an existing field, it does not perform any arithmetic or create a new field with a calculated value. Option B is wrong because `convert` is used for data type conversions (e.g., string to number, epoch time formatting), not for arithmetic operations; it does not support the syntax `duration_sec = duration/1000`. Option D is wrong because `fields` is used to keep or remove fields from search results, not to create new fields or perform calculations.

302
MCQeasy

A security team wants to monitor the count of failed login attempts over the past week. They need a simple at-a-glance number. Which visualization type should they use?

A.Line chart
B.Bar chart
C.Pie chart
D.Single Value
AnswerD

Single Value is designed to show a single metric prominently.

Why this answer

A Single Value visualization is the correct choice because it displays a single, aggregated number prominently, making it ideal for an at-a-glance metric like the count of failed login attempts over the past week. In Splunk, you can use a stats or timechart command to calculate the total count and then render it as a Single Value, which shows just the number without any trend or distribution detail.

Exam trap

The trap here is that candidates often overthink and choose a chart type (like Line or Bar) because they associate monitoring with trends, forgetting that the requirement is specifically for a single at-a-glance number, not a pattern over time.

How to eliminate wrong answers

Option A is wrong because a Line chart is designed to show trends over time, not a single aggregated count, and would require time-series data to be meaningful. Option B is wrong because a Bar chart is used for comparing values across categories or time periods, which adds unnecessary complexity for a simple total count. Option C is wrong because a Pie chart is meant for showing proportions of a whole, not a single numeric value, and would be misleading if used for a single metric.

303
Multi-Selectmedium

Which three options describe recommended practices for optimizing and maintaining data model acceleration? (Choose three.)

Select 3 answers
.Accelerate only the data models that are used frequently in searches to conserve disk space and system resources.
.Set the acceleration time range to match the most common search timeframe for that data model.
.Use the `| datamodel` command to manually trigger acceleration rebuilds after major data additions.
.Avoid using acceleration on data models that contain calculated fields, as they cannot be accelerated.
.Schedule the acceleration summary rebuild during off-peak hours to minimize impact on search performance.
.Increase the number of parallel search processes to automatically improve acceleration speed.

Why this answer

Accelerating only frequently used data models conserves disk space and system resources by avoiding unnecessary summary builds. Setting the acceleration time range to match the most common search timeframe ensures that the accelerated data aligns with user query patterns, maximizing efficiency. Scheduling the acceleration summary rebuild during off-peak hours minimizes the performance impact on concurrent searches, as the rebuild process consumes significant CPU and I/O resources.

Exam trap

Splunk often tests the misconception that the `| datamodel` command can manually trigger acceleration rebuilds, when in fact it is only used for searching or inspecting data model structure, not for managing acceleration tasks.

304
MCQhard

A large e-commerce company uses Splunk to monitor its web application. They have a data model named 'Web_Transactions' that contains fields: status_code, response_time, uri, user_agent. The data model is accelerated with a 30-day time range. Recently, the operations team reported that the dashboard showing average response time by URI is loading slowly, taking over 30 seconds to display. Upon investigation, you find that the data model acceleration summary job is taking longer to complete and sometimes fails. The indexers have sufficient CPU and memory, but the disk I/O is high during the summary job. The volume of web logs is approximately 500 GB per day. Which action should the Splunk administrator take to improve dashboard performance?

A.Disable data model acceleration and create a report that runs a scheduled search every 30 minutes to pre-compute the averages.
B.Increase the maximum number of parallel searches for the data model acceleration job in the limits.conf.
C.Add more indexers to distribute the data and reduce the load per indexer.
D.Decrease the acceleration time range from 30 days to 7 days.
AnswerB

Increasing parallelism can reduce the time to build summaries by allowing more concurrent disk reads.

Why this answer

Option B is correct because increasing the `max_concurrent_parallel_searches` for the data model acceleration job in `limits.conf` allows the summary process to use more parallel searches against the indexers, which can reduce the time it takes to build the acceleration summary. Since the indexers have sufficient CPU and memory but disk I/O is high, parallelizing the search workload can better utilize available resources and prevent the job from timing out, thereby improving dashboard performance.

Exam trap

The trap here is that candidates often assume adding more indexers (Option C) is the universal fix for performance issues, but the question explicitly states indexers have sufficient CPU and memory, and the bottleneck is the acceleration summary job's parallelism, not data distribution.

How to eliminate wrong answers

Option A is wrong because disabling data model acceleration and relying on a scheduled report every 30 minutes would not provide the same real-time or near-real-time query performance for the dashboard, and the report itself would still need to scan the full data volume, potentially causing similar I/O and performance issues. Option C is wrong because adding more indexers would require rebalancing data and may help with long-term scaling, but it does not directly address the immediate problem of the acceleration summary job being slow and failing due to high disk I/O; the bottleneck is the summary job's parallelism, not the number of indexers. Option D is wrong because decreasing the acceleration time range from 30 days to 7 days reduces the amount of data to process, which could help, but it would also limit the dashboard's historical visibility and is not the most direct fix for the summary job's performance; the core issue is the job's inability to complete within the current parallelism settings.

305
Multi-Selecthard

A lookup definition in transforms.conf includes the following settings: `filename = employees.csv`, `max_matches = 0`, `case_sensitive_match = false`. Which three statements about this lookup are true? (Choose three.)

Select 3 answers
A.The lookup will fail if there are duplicate keys.
B.The lookup will only return the first match for each event.
C.The lookup matching is case-insensitive.
D.The lookup can be used with the `| lookup` command.
E.The lookup will return all matching rows for each input event.
AnswersC, D, E

case_sensitive_match=false.

Why this answer

Option C is correct because the `case_sensitive_match = false` setting in transforms.conf explicitly makes the lookup matching case-insensitive. This means that when the lookup is performed, the comparison between the event field value and the lookup key ignores differences in uppercase and lowercase characters.

Exam trap

The trap here is that candidates often confuse `max_matches = 0` with 'no matches' or 'first match only', when in fact it means 'unlimited matches', and they may also overlook that `case_sensitive_match = false` explicitly enables case-insensitive matching.

306
MCQmedium

A search needs to replace a field value 'user' with 'full name' using a CSV lookup that has 'username' and 'fullname' columns. Which lookup command is correct?

A.| lookup users.csv username AS user OUTPUTNEW fullname
B.| lookup users.csv user AS username OUTPUT fullname
C.| lookup users.csv username AS user OUTPUT fullname AS full_name
D.| lookup users.csv user AS fullname OUTPUT username
AnswerC

Correctly matches user to username and outputs fullname as full_name.

Why this answer

Option C is correct because the `lookup` command syntax requires specifying the lookup file, then the field name in the lookup file (`username`) mapped to the field in the event (`user`) using `AS`, and then `OUTPUT` to bring the `fullname` field into the event as a new field named `full_name`. This matches the requirement to replace the field value 'user' with 'full name' by using the CSV lookup's `fullname` column.

Exam trap

Splunk often tests the exact syntax of the `lookup` command, specifically the order of fields in the `AS` mapping and the difference between `OUTPUT` and `OUTPUTNEW`, causing candidates to confuse which side of `AS` represents the lookup file column versus the event field.

How to eliminate wrong answers

Option A is wrong because `OUTPUTNEW` would only create the `fullname` field if it doesn't already exist, but the requirement is to replace the field value 'user' with 'full name', and it also incorrectly maps `username` AS `user` (the lookup field should be on the left of AS). Option B is wrong because it maps `user` AS `username`, which reverses the mapping (the event field should be on the right of AS), and it uses `OUTPUT` without renaming the output field, so it would output `fullname` as-is, not as `full_name`. Option D is wrong because it maps `user` AS `fullname`, which incorrectly treats the event field 'user' as the lookup field 'fullname', and then outputs `username`, which does not match the requirement to replace 'user' with 'full name'.

307
MCQmedium

A network operations team uses Splunk to monitor netflow data stored in index='net' and sourcetype='netflow'. The events contain fields: src_ip, dest_ip, bytes, and protocols. The team needs to identify the top 5 source IPs by total bytes transferred (based on the bytes field). For each of those top source IPs, they also want to list the destination IPs and the number of times they communicated. The data volume is large, so performance is important. Which SPL approach returns the desired results efficiently?

A.index=net sourcetype=netflow | eventstats sum(bytes) as total_bytes by src_ip | stats count by src_ip, dest_ip
B.index=net sourcetype=netflow | stats sum(bytes) as total_bytes, count by src_ip, dest_ip | sort -total_bytes | head 5
C.index=net sourcetype=netflow [ search index=net sourcetype=netflow | stats sum(bytes) as total_bytes by src_ip | sort -total_bytes | head 5 | fields src_ip ] | stats count by src_ip, dest_ip
D.index=net sourcetype=netflow | top limit=5 src_ip by bytes | fields src_ip | search index=net sourcetype=netflow | stats count by src_ip, dest_ip
AnswerC

The subsearch calculates top IPs by total bytes; the outer search then counts destinations for those IPs.

Why this answer

Option C is correct because it uses a subsearch to first identify the top 5 source IPs by total bytes, then passes those IPs to the outer search to efficiently compute the count of communications per destination IP. This approach minimizes the data processed in the outer search by filtering only the relevant source IPs, which is critical for performance on large netflow datasets.

Exam trap

The trap here is that candidates often choose option B, mistakenly thinking that sorting by total_bytes after a stats command that groups by both src_ip and dest_ip will correctly identify the top source IPs, but it actually ranks pairs, not individual source IPs.

How to eliminate wrong answers

Option A is wrong because eventstats adds the total_bytes field to every event but does not filter to the top 5 source IPs, and the subsequent stats count by src_ip, dest_ip ignores the total_bytes field entirely, failing to identify the top source IPs. Option B is wrong because it groups by src_ip and dest_ip before sorting, so the sort and head 5 operate on the combined src_ip-dest_ip pairs rather than on the total bytes per source IP, which does not yield the top 5 source IPs by total bytes. Option D is wrong because the top command with limit=5 src_ip by bytes is syntactically invalid (top does not support a by clause for bytes), and the subsequent search index=net sourcetype=netflow is a separate search that does not use the results from the top command, leading to incorrect or no filtering.

308
MCQeasy

An analyst has created a search that they want to run regularly. What is the most efficient way to save this search for future use?

A.Export to CSV
B.Save as an alert
C.Save as a dashboard panel
D.Save as a report
AnswerD

Reports are designed for saving and reusing searches.

Why this answer

Saving as a report allows scheduling and easy reuse. Alerts are for triggering actions, dashboards combine multiple panels, and export is only for current results.

309
MCQmedium

A dashboard uses a base search and a post-process search that modifies the fields. When the base search returns no results, the panel shows an error. How can this be handled?

A.Use the default attribute on the post-process search to provide fallback results
B.Use the depends attribute on the panel and set a token in the base search when results exist
C.Reset the base search to return at least one result
D.Set the panel refresh to a higher interval
AnswerB

This conditionally hides the panel when the base search returns no results, preventing the error.

Why this answer

Option B is correct because the `depends` attribute on a panel allows you to conditionally show or hide the panel based on whether a token is set. By setting a token (e.g., `results_exist`) in the base search only when results are returned, the panel will be hidden when the base search returns no results, preventing the error. This is the standard Splunk approach to handle empty base search results in post-process searches.

Exam trap

Splunk often tests the misconception that you can use a `default` attribute or modify the base search to force results, when in reality the correct approach is to use token-based conditional rendering with the `depends` attribute to hide the panel when no data exists.

How to eliminate wrong answers

Option A is wrong because the `default` attribute on a post-process search does not exist; post-process searches cannot have fallback results defined via an attribute, and they rely entirely on the base search's output. Option C is wrong because resetting the base search to return at least one result is not a valid solution—you cannot force a search to return results if the data doesn't exist, and doing so would corrupt the dashboard's accuracy. Option D is wrong because setting the panel refresh to a higher interval does not address the root cause of the error; it only changes how often the search runs, but if the base search still returns no results, the error will persist on each refresh.

310
Drag & Dropmedium

Drag and drop the steps to create a simple Splunk search that returns results for a specific error in the last 24 hours into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Basic search workflow involves selecting the app, entering the search with time range, executing, and reviewing results.

311
MCQeasy

A user runs a search that returns many results. Which action in the Timeline histogram allows the user to narrow the result set to a specific time range?

A.Click and drag across the timeline
B.Double-click on the timeline bar
C.Right-click and choose 'Filter by time'
D.Click the 'Zoom to selection' button
AnswerA

Dragging selects a time range and updates the search.

Why this answer

Clicking and dragging across the timeline highlights a time range and automatically adjusts the search time bounds. Double-clicking only selects a single bucket, zoom to selection button appears after drag, right-click filter is not available.

312
MCQmedium

The exhibit shows a savedsearch.conf stanza. What is the effect of the setting `displayview = flashtimeline`?

A.It configures the time picker to show the last 30 days.
B.It limits the search results to only timeline events.
C.It sets the default view to the timeline chart when the search is opened.
D.It adds a flash timeline overlay to the search results.
AnswerC

Correct interpretation of displayview.

Why this answer

Option B is correct because `displayview` specifies the default view when the search result is viewed in Splunk Web. `flashtimeline` is the timeline chart. Option A is wrong because it does not limit results. Option C is wrong because it does not set the time range.

Option D is wrong because it does not modify the search string.

313
Multi-Selectmedium

Which three of the following are valid uses of the `stats` command in Splunk? (Choose three.)

Select 3 answers
.Counting the number of events by a specific field using `count(field)`
.Calculating the average value of a numeric field using `avg(field)`
.Removing duplicate events based on a field using `dedup` inside the stats command
.Finding the earliest timestamp of events grouped by a field using `earliest(field)`
.Sorting results in descending order directly within the stats command
.Joining two separate searches into a single stats output

Why this answer

The `stats` command in Splunk is used to perform statistical aggregations on search results. `count(field)` counts the number of events where the specified field exists, `avg(field)` calculates the mean of a numeric field, and `earliest(field)` returns the earliest (oldest) timestamp value for that field within each group. These are all valid aggregation functions that operate on field values across events.

Exam trap

The trap here is that candidates confuse `dedup` as a stats function or think sorting can be embedded in `stats`, when in fact `stats` only supports statistical and time-based aggregations, not deduplication or ordering.

314
MCQhard

What is the purpose of this search?

A.To list the first 5 status codes in alphabetical order.
B.To filter events with status codes that appear less than 5 times.
C.To display the 5 most common HTTP status codes in the web index.
D.To show the 5 most recent events sorted by status code.
AnswerC

Counts by status, sorts descending, top 5.

Why this answer

The search uses `top` to find the most common values in the `status` field, limited to 5 results. The `top` command counts occurrences and sorts by count descending, so it returns the 5 most frequent HTTP status codes from the web index. Option C correctly describes this behavior.

Exam trap

The trap here is that candidates confuse `top` with `head` or `sort` commands, assuming it returns the first few events or sorts alphabetically, rather than understanding it performs frequency-based aggregation.

How to eliminate wrong answers

Option A is wrong because `top` does not sort alphabetically; it sorts by frequency count descending. Option B is wrong because `top` shows the most common values, not those appearing fewer than 5 times; that would require a `where count < 5` after a `stats count` command. Option D is wrong because `top` does not sort by time or show recent events; it aggregates counts over the entire search timeframe and orders by frequency.

315
Multi-Selectmedium

Which TWO of the following commands can be used to create a new field from existing fields?

Select 2 answers
A.rex
B.eval
C.table
D.convert
E.fields
AnswersA, B

Can extract and create new fields via regular expressions.

Why this answer

The `rex` command is correct because it uses regular expressions to extract new fields from existing field values. For example, `rex field=message "(?<newField>pattern)"` creates a new field named `newField` by matching a portion of the `message` field. This allows you to derive structured data from unstructured or semi-structured fields.

Exam trap

Splunk often tests the distinction between commands that *extract* or *compute* new fields (`rex`, `eval`) versus commands that only *filter* or *transform* existing fields (`table`, `fields`, `convert`), leading candidates to mistakenly select `convert` or `fields` because they assume any command that modifies output can create fields.

316
Drag & Dropmedium

Drag and drop the steps to install an app from Splunkbase into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Installing from Splunkbase requires browsing, installing, and possibly restarting Splunk.

317
MCQmedium

A user frequently runs a long search and wants to save it as a report. What is the best practice when naming the report?

A.Include the user's username in the name
B.Include the current date in the name
C.Use a generic name like 'Daily Report'
D.Use a descriptive name that reflects the search purpose
AnswerD

Clarity and reusability are best practices.

Why this answer

Option B is correct because a descriptive name helps identify the report's purpose. Option A is wrong because generic names are not helpful. Option C is wrong because user names are irrelevant.

Option D is wrong because date is better added in description, not name.

318
MCQhard

When designing a data model for heterogeneous log sources, which approach minimizes field conflicts?

A.Use only root datasets.
B.Normalize fields to common names and use constraints to differentiate.
C.Use one data model per sourcetype.
D.Avoid using calculated fields.
AnswerB

This allows multiple sourcetypes to map to the same dataset with consistent field names.

Why this answer

Option B is correct because normalizing fields to common names (e.g., mapping 'src_ip', 'source_ip', and 'clientip' to a single field like 'src_ip') and using constraints to differentiate datasets ensures that heterogeneous log sources share a consistent schema within the data model. This approach minimizes field conflicts by preventing duplicate or conflicting field definitions across datasets, while constraints allow each dataset to apply specific search-time filtering (e.g., `sourcetype=access_combined`) to isolate its data. It aligns with Splunk best practices for data model design, enabling efficient pivot and report acceleration without schema collisions.

Exam trap

The trap here is that candidates often choose Option C (one data model per sourcetype) because they think it avoids conflicts by isolating schemas, but they overlook that Splunk data models are designed to unify heterogeneous sources under a common schema, and per-sourcetype models break correlation and increase administrative complexity.

How to eliminate wrong answers

Option A is wrong because using only root datasets eliminates the ability to define specialized fields or constraints for different sourcetypes, leading to a flat, inflexible schema that cannot handle heterogeneous log sources without field conflicts. Option C is wrong because creating one data model per sourcetype defeats the purpose of a unified data model, causing duplication of effort, increased maintenance overhead, and inability to correlate data across sourcetypes in a single pivot or report. Option D is wrong because avoiding calculated fields does not address field conflicts; calculated fields are derived from existing fields and do not cause schema collisions, and the real issue is inconsistent field naming across sourcetypes, which normalization resolves.

319
MCQeasy

A security analyst needs to identify the top 5 source IP addresses generating the most web traffic. Which command should be used?

A.| stats count by src_ip | sort - count
B.| top limit=5 src_ip
C.| sort - count | head 5
D.| table src_ip | head 5
AnswerB

The top command with limit=5 returns the top 5 values.

Why this answer

Option B is correct because the `top` command is specifically designed to return the most common values of a field, and `limit=5` restricts the output to the top 5 source IP addresses by count. This command automatically sorts the results in descending order, making it the most efficient and direct way to identify the top 5 source IPs generating web traffic.

Exam trap

The trap here is that candidates often confuse `top` with `stats count` followed by `sort` and `head`, not realizing that `top` already includes sorting and limiting, and that `sort - count` alone without a preceding stats command will fail.

How to eliminate wrong answers

Option A is wrong because `| stats count by src_ip | sort - count` does produce a count per source IP and sorts it, but it does not limit the output to the top 5; it would return all source IPs sorted, which is not what the question asks. Option C is wrong because `| sort - count | head 5` is missing the initial `stats` or `top` command to generate the count; `sort - count` would fail because there is no `count` field to sort on unless preceded by a stats command. Option D is wrong because `| table src_ip | head 5` simply displays the first 5 source IPs from the raw events, not the top 5 by traffic volume; it does not perform any aggregation or counting.

320
MCQhard

During a data model acceleration build, the following error appears in splunkd.log: 'Data model acceleration: not enough memory to complete summary build.' Which best practice should the administrator implement to prevent this error?

A.Remove unnecessary fields from the data model to reduce complexity.
B.Increase the memory allocation for the data model acceleration process.
C.Reduce the summary range to less than 7 days.
D.Use tstats instead of data model acceleration for queries.
AnswerB

The error indicates insufficient memory; increasing allocation resolves it.

Why this answer

Option B is correct because the error 'not enough memory to complete summary build' indicates that the data model acceleration process has exhausted its allocated memory. Increasing the memory allocation for the data model acceleration process (via the limits.conf or the data model acceleration settings) directly addresses this resource constraint, allowing the summary to build successfully.

Exam trap

The trap here is that candidates often confuse memory errors with data complexity or time range issues, leading them to choose options that reduce data volume (A or C) rather than addressing the specific resource allocation problem (B).

How to eliminate wrong answers

Option A is wrong because removing unnecessary fields reduces the data model's complexity and storage footprint but does not directly address the memory allocation error; the error is about insufficient memory for the build process, not about field count. Option C is wrong because reducing the summary range to less than 7 days may reduce the amount of data to process but does not resolve the underlying memory shortage; the error is about memory, not time range. Option D is wrong because using tstats instead of data model acceleration is a workaround that bypasses acceleration entirely, not a best practice to prevent the memory error; the question asks for a practice to prevent the error, not to avoid acceleration.

321
MCQeasy

Refer to the exhibit. What would happen if the eval statement was changed to: eval priority = case(error = "critical", 1, error = "warning", 2, true(), 3)?

A.The search returns no results
B.The search returns the same results as before
C.The search only returns priority 3
D.The search returns a syntax error
AnswerB

true() functions similarly to 1=1 as a catch-all.

Why this answer

Option B is correct because the `case` function in Splunk evaluates conditions in order and returns the first match. The original `case` statement used `error=="critical"` and `error=="warning"`, while the new one uses `error = "critical"` and `error = "warning"`. In Splunk, the `=` operator is equivalent to `==` for string comparison in `eval` expressions, so both forms produce identical results.

The `true()` clause at the end acts as a default, assigning priority 3 to any other value, which matches the original behavior.

Exam trap

The trap here is that candidates may think `=` is an assignment operator in `eval` (like in some programming languages) and expect a syntax error, but in Splunk's `eval` context, `=` is a valid comparison operator equivalent to `==`.

How to eliminate wrong answers

Option A is wrong because the search will return results; the `case` function is valid and will assign priorities based on the conditions. Option C is wrong because the `case` function evaluates conditions sequentially, so errors with value 'critical' get priority 1 and 'warning' get priority 2, not just priority 3. Option D is wrong because `=` is a valid comparison operator in Splunk's `eval` context, equivalent to `==`, so no syntax error occurs.

322
MCQhard

A dashboard has multiple panels that use the same base search. The admin wants to avoid running the same search multiple times. Which feature should be used?

A.Post-process search
B.Report acceleration
C.Data model
D.Summary indexing
AnswerA

Post-process searches share a common base search, running it once for multiple panels.

Why this answer

Option A is correct because post-process searches allow a dashboard panel to run a secondary search against the results of a base search, rather than re-running the original search against the index. This avoids redundant data retrieval and processing, as the base search runs once and its results are stored in a results server, which subsequent post-process searches query using the `| search` command or similar filtering.

Exam trap

The trap here is that candidates often confuse post-process searches with report acceleration or summary indexing, thinking any caching mechanism will work, but only post-process searches directly reuse a single base search's result set across multiple panels without additional index queries.

How to eliminate wrong answers

Option B is wrong because report acceleration pre-computes and stores aggregated results for a single report or search, but it does not enable multiple panels to share a single base search result; each accelerated report still runs its own search against the index. Option C is wrong because a data model defines a hierarchical, persistent schema over indexed data and is used for pivot-based reporting, not for sharing a live base search result across panels; it requires separate searches or pivot queries to generate data. Option D is wrong because summary indexing saves the results of a search to a summary index for later use, but it requires explicit scheduling and writing to a separate index, and panels would need to search that summary index independently, not directly share the same base search result in real time.

323
MCQmedium

A financial analyst creates a dashboard in Splunk Web to track daily transaction volumes. The dashboard has three panels: a table of top 10 merchants by transaction count, a bar chart of transactions by hour, and a single value showing total transaction amount. All panels use the same base search from the 'transactions' index. The analyst is in the 'finance' role. The dashboard runs fine in the analyst's session, but when the analyst shares the dashboard with the 'auditor' role, the auditor sees no data in any panel. The auditor role has read access to the dashboard and the 'transactions' index. What is the most likely cause?

A.The base search used in the dashboard's panels is a saved search owned by the analyst, and the 'auditor' role does not have permissions to that saved search
B.The 'auditor' role does not have read access to the 'transactions' index
C.The dashboard's permission is set to 'private' and only the analyst can view it
D.The dashboard is set to run as the 'finance' role, and the 'auditor' role lacks the 'rbac_perm' privilege
AnswerA

If the base search is saved and owned by the analyst, other roles need explicit read permission on that search object.

Why this answer

Option A is correct because the base search is a saved search owned by the analyst. When a dashboard uses a saved search as its base search, Splunk enforces permissions on that saved search object. Even though the auditor role has read access to the 'transactions' index, if the saved search itself is not shared with the auditor role (e.g., it remains private to the analyst), the dashboard panels will fail to retrieve data for the auditor.

This is a common permission scoping issue in Splunk where data access is gated by the saved search object, not just the index.

Exam trap

Splunk often tests the misconception that index-level read access alone guarantees data visibility in dashboards, ignoring the separate permission layer on saved search objects used as base searches.

How to eliminate wrong answers

Option B is wrong because the question explicitly states the auditor role has read access to the 'transactions' index, so index-level permissions are not the issue. Option C is wrong because if the dashboard were private, the analyst could not share it at all; the auditor can see the dashboard (no data), so the dashboard itself is shared. Option D is wrong because there is no 'rbac_perm' privilege in Splunk; dashboards can be set to run as a specific role via 'run as' permissions, but the core issue here is the saved search ownership, not a missing privilege name that doesn't exist.

324
MCQhard

A Splunk administrator notices that a data model acceleration summary is consuming excessive disk space on the indexers. The data model is used for a dashboard that refreshes every 30 minutes. What is the best course of action to reduce disk usage while maintaining dashboard performance?

A.Disable data model acceleration and rely on raw data searches.
B.Decrease the acceleration time range in the data model definition.
C.Decrease the backfill time for the data model.
D.Increase the acceleration time range to speed up summary generation.
AnswerB

Reducing the acceleration time range reduces the amount of stored summary data, saving disk space.

Why this answer

Option B is correct because decreasing the acceleration time range in the data model definition directly reduces the amount of data the summary covers, which lowers disk usage on the indexers. Since the dashboard refreshes every 30 minutes, a shorter acceleration range (e.g., last 7 days instead of 30) still keeps the most recent data pre-computed for fast queries, maintaining performance for the refresh interval.

Exam trap

The trap here is confusing the acceleration time range (which controls the scope of pre-computed data) with the backfill time (which only affects the initial historical build), leading candidates to incorrectly choose option C.

How to eliminate wrong answers

Option A is wrong because disabling acceleration forces the dashboard to run raw searches against the full dataset, which would drastically increase query latency and likely break the 30-minute refresh performance requirement. Option C is wrong because the backfill time controls how far back the summary is initially built, not the ongoing disk usage; reducing it only affects the initial build, not the steady-state storage. Option D is wrong because increasing the acceleration time range would cause the summary to cover more data, thereby increasing disk usage and worsening the problem, not solving it.

325
MCQhard

A search uses a lookup to enrich results with a field 'status'. After the lookup, some events have empty status values. The lookup file contains a mapping for all possible status codes. What is a likely reason for empty values?

A.The events are not indexed.
B.The lookup command uses output_fields incorrectly.
C.The lookup file has duplicate keys.
D.The lookup field name in the event does not match the lookup key.
AnswerD

Mismatch prevents matching, resulting in no enrichment.

Why this answer

Option D is correct because the lookup command matches a field in the event (the lookup key) against a field in the lookup file. If the field name in the event does not exactly match the lookup key field name in the lookup file, no match occurs, and the output field (e.g., 'status') remains empty. This is a common misconfiguration when the lookup key field is misspelled or has a different case.

Exam trap

Splunk often tests the distinction between a lookup that returns no match (empty values) versus a lookup that fails due to syntax or data issues, and candidates mistakenly blame duplicate keys or output_fields instead of recognizing a key field mismatch.

How to eliminate wrong answers

Option A is wrong because events that are not indexed would not appear in search results at all, so they cannot have empty status values after a lookup. Option B is wrong because output_fields controls which fields from the lookup file are added to events; incorrect usage would cause missing fields entirely, not empty values for a field that exists. Option C is wrong because duplicate keys in a lookup file cause the lookup to return only the first matching value, not empty values; empty values occur only when no match is found.

326
MCQmedium

Refer to the exhibit. The lookup file app_versions.csv contains fields 'app' and 'version'. The version values are strings like '1.5', '2.0', '2.1'. What is the issue with this search?

A.Version comparison will not be numeric, giving incorrect results
B.where cannot be used with string comparisons
C.inputlookup is not a valid command
D.table should be replaced with fields
AnswerA

String comparison fails for version numbers.

Why this answer

The issue is that the `where` clause performs lexicographic (string) comparison on the `version` field because the values in the lookup file are stored as strings (e.g., '1.5', '2.0', '2.1'). Since string comparison evaluates character by character, a version like '2.0' would be considered greater than '10.0' because '2' > '1' as a character, leading to incorrect filtering results. To compare versions numerically, you must convert the field to a numeric type using functions like `tonumber()` or parse the version string into comparable components.

Exam trap

Splunk often tests the misconception that `where` can automatically handle numeric comparisons for fields that look like numbers but are stored as strings, leading candidates to overlook the need for explicit type conversion.

How to eliminate wrong answers

Option B is wrong because `where` can be used with string comparisons; the command supports both string and numeric comparisons, so the issue is not about the command's capability but the data type. Option C is wrong because `inputlookup` is a valid command that loads a lookup file into the search, and it is correctly used here to retrieve the CSV data. Option D is wrong because `table` is a valid command that returns results in a tabular format, and replacing it with `fields` would not resolve the version comparison issue; the problem lies in the comparison logic, not the output command.

327
MCQmedium

A lookup definition is configured with a very large CSV file. The lookup performs slowly. Which change would most improve performance?

A.Use inputlookup instead of lookup.
B.Ensure the lookup field in the file is the first column.
C.Add an index to the lookup file.
D.Convert the CSV to a TSV.
AnswerB

Optimizes search within the file.

Why this answer

Splunk's lookup command performs a linear scan of the CSV file to find matching values. By placing the lookup field as the first column, Splunk can use an internal optimization that reduces the search space, as it can quickly locate the matching row without scanning the entire file. This is the most effective single change for improving performance with a large CSV-based lookup.

Exam trap

The trap here is that candidates often confuse database indexing with file-based lookups, assuming an 'index' can be added to a CSV, or they mistakenly believe changing the file format (TSV vs CSV) affects search speed, when the real optimization is about the column order and the resulting search algorithm efficiency.

How to eliminate wrong answers

Option A is wrong because inputlookup is a search command that loads the entire lookup file into memory as a dataset, which does not improve performance for field-based lookups and can actually be slower for large files. Option C is wrong because CSV files do not support indexing; indexes are a database concept and Splunk does not create indexes on static lookup files. Option D is wrong because converting CSV to TSV does not change the underlying linear scan behavior; the delimiter has no impact on lookup performance.

328
MCQhard

Refer to the exhibit. The dashboard panel shows a column chart of bytes by protocol for the last 24 hours. However, the chart shows only one column. What is the most likely cause?

A.The search returns only one result row
B.The chart type cannot display multiple columns
C.The protocol field is not extracted
D.The time range is not wide enough
AnswerA

A single result row means one unique protocol, hence one column.

Why this answer

Option A is correct because a column chart in Splunk displays one column per distinct value of the x-axis field. If the search returns only one result row (e.g., a single protocol value such as 'HTTP' with a total byte count), the chart will render a single column. This typically occurs when the search uses a stats or timechart command that groups by a field with only one unique value, or when a filter like `protocol=*` inadvertently matches only one protocol.

Exam trap

Splunk often tests the misconception that a single column indicates a data extraction problem (like field not extracted) or a visualization limitation, when the real issue is that the search result set contains only one distinct value for the grouping field.

How to eliminate wrong answers

Option B is wrong because Splunk column charts can display multiple columns when the x-axis field has multiple distinct values; the chart type is not inherently limited to one column. Option C is wrong because if the protocol field were not extracted, the chart would show no columns or an error, not a single column with data. Option D is wrong because the time range being too narrow would reduce the number of events but still allow multiple protocol values to appear if they exist in that window; a single column indicates a single distinct value, not insufficient time span.

329
MCQeasy

A search uses `| fields - _raw, _time` and then later needs `_time` again. What will happen?

A.The `_time` field is no longer available for later commands.
B.The command removes all fields except _raw and _time.
C.The command will cause an error because you cannot remove internal fields.
D.The `_time` field will still be available but empty.
AnswerA

The fields command with '-' removes those fields from subsequent processing.

Why this answer

The `| fields - _raw, _time` command explicitly removes the `_time` field from the search results. Once a field is removed using the `fields` command with a minus sign, it is no longer available for any subsequent commands in the search pipeline. This is because the `fields` command operates on the current working set of events, stripping out the specified fields entirely, and later commands cannot reference a field that has been removed.

Exam trap

The trap here is that candidates often assume internal fields like `_time` cannot be removed or that removing them only empties the value, when in fact the `fields` command with a minus sign completely deletes the field from the event data.

How to eliminate wrong answers

Option B is wrong because the `fields` command with a minus sign removes the listed fields, not keeps them; the command removes `_raw` and `_time`, leaving all other fields intact. Option C is wrong because Splunk allows removal of internal fields like `_raw` and `_time` using the `fields` command; no error is generated. Option D is wrong because the `_time` field is not merely emptied but is completely removed from the event data, so it is not available at all.

330
Multi-Selectmedium

A Splunk user wants to create a lookup that maps a field 'status_code' to a human-readable 'status_description'. The lookup data is small and changes infrequently. Which TWO methods are appropriate for creating this lookup? (Choose two.)

Select 2 answers
A.Create a lookup definition file (transforms.conf) with the mapping inline
B.Create a KV Store collection to store the mapping
C.Use the 'lookup' command in a search to create a temporary mapping each time
D.Use a calculated field in props.conf to derive the description from the code
E.Save a CSV file with the mapping and define a lookup from that file
AnswersA, E

A lookup definition file can include inline data or reference a file; it's a standard method.

Why this answer

Option A is correct because a lookup definition file (transforms.conf) can contain an inline mapping using the `filename` or `external_type` settings, but more specifically for small static data, you can define a lookup with a `table` or `static` definition that directly maps values without an external file. This is efficient for small, infrequently changing data as it avoids file management overhead. Option E is correct because saving a CSV file with the mapping and defining a lookup from that file is the standard method for small, static lookup data in Splunk, using the `lookup` command or automatic lookup to enrich events.

Exam trap

The trap here is that candidates often confuse KV Store (designed for dynamic, writable data) with static CSV lookups, or think the `lookup` command can create mappings on the fly, when in fact it only applies pre-defined lookup definitions from configuration files.

331
MCQmedium

A user is building a search in Splunk Web and wants to use the field autocomplete feature to quickly select fields. What must the user do to enable this feature?

A.Press Ctrl+Enter to trigger autocomplete suggestions.
B.No action needed; autocomplete is always active in the search bar.
C.Click the 'Add to Search' button next to field names.
D.Enable it in the user preferences under Settings.
AnswerB

Correct: Autocomplete is always active.

Why this answer

Option C is correct because field autocomplete is a built-in feature of the Splunk Web search bar and is always enabled; no special action is needed. Option A is incorrect because there is no separate option to enable it. Option B is incorrect because the 'Add to Search' button is for adding fields manually, not autocomplete.

Option D is incorrect because Ctrl+Enter is used to run a search, not for autocomplete.

332
Multi-Selectmedium

Which TWO of the following are knowledge objects in Splunk?

Select 2 answers
A.Field extraction
B.Alert
C.Dashboard
D.Source type
E.Index
AnswersA, B

Field extractions are knowledge objects that define how to extract fields.

Why this answer

Field extractions and alerts are considered knowledge objects that enrich data or trigger actions. Dashboards are saved objects but not knowledge objects per se; indexes and sourcetypes are core data definitions.

333
Multi-Selectmedium

Which TWO commands can be used to create a chart that shows the count of events over time?

Select 2 answers
A.top
B.eval
C.timechart
D.stats
E.chart
AnswersC, E

timechart is specifically designed for time-series charting.

Why this answer

The `timechart` command is specifically designed to create a time-based chart where the x-axis represents time and the y-axis represents a statistical aggregation, such as count. By default, `timechart count` splits events into time buckets and counts the number of events in each bucket, making it ideal for showing event counts over time. The `chart` command can also produce a time-based chart when used with the `_time` field as the x-axis, but it requires explicit specification of the time field and does not automatically bucket by time like `timechart` does.

Exam trap

Splunk often tests the distinction between `chart` and `timechart`, where candidates mistakenly think `chart` alone cannot produce a time-based chart, but `chart` can when explicitly using `_time` as the x-axis, though `timechart` is the more appropriate and automatic choice for time-based counts.

334
MCQhard

Refer to the exhibit. A Splunk admin created this dashboard XML. When viewing the dashboard, the "Response Time" panel shows no data. What is the most likely cause?

A.The index 'web' does not contain any events.
B.The bar chart cannot display the results.
C.The stats command requires a by clause and host is not a valid field.
D.The 'response_time' field does not exist in the access_combined sourcetype.
AnswerD

Correct. Access_combined sourcetype usually does not include response_time; it might be in other sourcetypes.

Why this answer

The search for response time uses a field 'response_time' which may not exist in the access_combined sourcetype. The access_combined sourcetype typically does not have a response_time field; it might be named differently (e.g., time_taken).

335
Multi-Selecthard

Which TWO of the following are best practices when creating and using data models in Splunk?

Select 2 answers
A.Accelerate data models to improve search performance on large datasets.
B.Minimize the number of fields defined in a data model to reduce acceleration overhead.
C.Always accelerate root events in a data model to ensure all data is pre-computed.
D.Define all possible fields in the data model to ensure maximum flexibility.
E.Use data model acceleration only when building Pivot reports.
AnswersA, B

Correct: Acceleration creates tsidx files for faster search.

Why this answer

Option A is correct because accelerating a data model pre-computes the data model's field values and stores them in a summary index, which significantly reduces search time when running reports or Pivot searches against large datasets. This is a core best practice for optimizing performance with data models in Splunk.

Exam trap

The trap here is that candidates often assume accelerating all root events (Option C) is always beneficial, but Splunk best practices emphasize selective acceleration to balance performance gains against resource consumption, and that acceleration serves all search types, not just Pivot reports (Option E).

336
Matchingmedium

Match each search mode to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Optimizes for speed, minimal fields and events

Adjusts automatically based on search complexity

Returns all fields and events for maximum detail

Why these pairings

Search modes affect performance and output.

337
Multi-Selectmedium

Which TWO actions are valid for modifying the appearance of a column chart in a dashboard panel? (Choose two.)

Select 2 answers
A.Set the chart to use a radial display to make it a pie chart.
B.Swap the chart type to a horizontal bar chart using the 'Chart' dropdown.
C.Adjust marker size to make bars thicker.
D.Specify a sort order for the x-axis categories.
E.Change the color palette in the 'Colors' section of the formatting options.
AnswersD, E

Sorting the x-axis is possible via 'Sort' option under 'X-Axis'.

Why this answer

Option D is correct because in a column chart, you can specify a sort order for the x-axis categories using the 'Sorting' options in the formatting panel. This allows you to control the sequence of categories displayed, such as sorting by alphabetical order or by a numeric field value. Option E is correct because the 'Colors' section in the formatting options lets you change the color palette for the chart, modifying the appearance of the columns.

Exam trap

The trap here is that candidates often confuse 'modifying appearance' with 'changing chart type' or 'adjusting properties that don't apply to column charts', such as marker size, which is specific to line and scatter plots.

338
MCQeasy

A user reports that a data model acceleration is consuming excessive disk space on the indexer. The data model has a summary range of 90 days. Which action is best to reduce disk space usage while maintaining acceptable query performance?

A.Increase the acceleration frequency to rebuild summaries more often.
B.Reduce the summary range to 30 days.
C.Disable acceleration for the data model.
D.Delete old indexed data that is not frequently queried.
AnswerB

A shorter summary range reduces the amount of summary data, saving disk space.

Why this answer

Reducing the summary range from 90 days to 30 days directly decreases the amount of data that the acceleration precomputes and stores on the indexer. This minimizes disk space consumption while still accelerating queries for the most recent, commonly accessed data. Maintaining a shorter summary range ensures acceptable performance for recent queries without the overhead of storing summaries for older, less frequently accessed time periods.

Exam trap

The trap here is that candidates may confuse summary range with acceleration frequency or think that deleting raw data is the primary way to free space, when in fact the acceleration summaries themselves are the direct cause of the disk space issue.

How to eliminate wrong answers

Option A is wrong because increasing the acceleration frequency rebuilds summaries more often, which increases CPU and I/O load and can temporarily use more disk space during rebuilds, but does not reduce the total amount of stored summary data. Option C is wrong because disabling acceleration eliminates all precomputed summaries, which would severely degrade query performance on large datasets, especially for searches over the 90-day range. Option D is wrong because deleting old indexed data removes raw data that may be needed for compliance or historical analysis, and it does not directly address the disk space consumed by the acceleration summaries themselves.

339
Multi-Selectmedium

Which of the following are valid reasons to use a lookup in Splunk? (Choose two.)

Select 2 answers
A.To enrich events with additional information from an external source.
B.To create new fields using the eval command.
C.To alias field names permanently.
D.To change the timestamp format of events.
E.To filter events based on a field that matches a list of values.
AnswersA, E

Primary use.

Why this answer

Option A is correct because a lookup in Splunk enriches events by adding fields from an external source, such as a CSV file, KV store, or scripted lookup, based on a matching field in the event. This allows you to bring in contextual data (e.g., user names, device details) without modifying the original raw data.

Exam trap

The trap here is that candidates often confuse the `lookup` command with other field-manipulation commands like `eval` or `fieldalias`, leading them to select options that describe those commands instead of the specific purpose of a lookup.

340
Multi-Selectmedium

Which TWO of the following are features available in the Splunk Web interface under the 'Settings' menu?

Select 2 answers
A.Reports
B.Knowledge
C.Data Inputs
D.Dashboards
E.Search Center
AnswersB, C

Settings > Knowledge manages event types, fields, etc.

Why this answer

Options B and C are correct. Option B: Knowledge contains event types, tags, fields, etc. Option C: Data Inputs is for configuring inputs.

Option A is wrong because Reports are managed under the 'Reports' link in the app, not directly under Settings. Option D is wrong because Dashboards are created within an app, not under Settings. Option E is wrong because Search Center is not a setting; it's a feature in Splunk Cloud but not in Settings.

341
MCQhard

An analyst runs a search that returns 10,000 events. They want to see the distribution of the 'status' field across the 'method' field. Which command should be used?

A.top method by status
B.stats count by status, method
C.pivot status method
D.chart count over status by method
AnswerB

Produces a table of counts for each pair.

Why this answer

Option B is correct because the `stats count by status, method` command groups events by both the 'status' and 'method' fields, then counts the number of events in each combination, producing a table that shows the distribution of status values across method values. This directly answers the requirement to see how the 'status' field is distributed across the 'method' field.

Exam trap

Splunk often tests the subtle difference between `stats` and `chart` commands, and the trap here is that candidates may confuse the valid syntax of `chart` (which requires `by` or `over` but not both in the same clause) with the simpler `stats` syntax, leading them to choose option D despite its invalid syntax.

How to eliminate wrong answers

Option A is wrong because `top method by status` returns the most common values of 'method' for each value of 'status', but it does not show the full distribution of all status values across all method values; it only shows the top method per status, which is a different analytical goal. Option C is wrong because `pivot` is a command used in the Splunk Pivot interface for building data models, not a search command that can be run directly in the search bar; it requires a data model and is not a valid transforming command for this ad-hoc search. Option D is wrong because `chart count over status by method` has incorrect syntax; the correct syntax for the `chart` command is `chart count by status, method` or `chart count over method by status`, but `over status by method` is invalid and would cause a parsing error.

342
MCQeasy

An analyst wants to see all field names and their types from a search result. Which command can be used?

A.fieldsummary
B.fields *
C.eval
D.rex
AnswerA

Correct command to display field names and types.

Why this answer

The `fieldsummary` command returns a table listing all field names, their types (e.g., number, string), and basic statistics (count, distinct count) from the search results. This directly meets the analyst's requirement to see field names and their types without manually inspecting raw events.

Exam trap

The trap here is that candidates confuse `fields *` (which shows field names only) with `fieldsummary` (which shows names and types), or they think `eval` or `rex` can be used to list field metadata, when in fact those commands are for field creation and extraction, not introspection.

How to eliminate wrong answers

Option B (`fields *`) is wrong because it only retains or displays all fields in the search results, but does not show their data types or summary statistics. Option C (`eval`) is wrong because it creates new fields or modifies existing ones using expressions, not for listing field names and types. Option D (`rex`) is wrong because it extracts fields using regular expressions from raw event data, not for displaying existing field metadata.

343
MCQmedium

Refer to the exhibit. An admin is trying to accelerate this data model, but receives an error: 'Data model 'Authentication' has no constraints.' What is the most likely cause?

A.The data model name must be in uppercase.
B.The constraint is missing the dataset name.
C.The field 'action' is not allowed in a data model.
D.The constraint is defined at the root level incorrectly.
AnswerB

Constraints should be under a specific dataset, e.g., [datamodel/Authentication/root_dataset/constraint].

Why this answer

The error 'Data model 'Authentication' has no constraints' occurs because the constraint definition in the data model is missing the dataset name prefix. In Splunk data models, constraints must specify which dataset they apply to (e.g., 'Authentication.action=*' instead of just 'action=*'), otherwise the data model cannot enforce the constraint and fails validation.

Exam trap

Splunk often tests the requirement that constraints in data models must include the dataset name prefix, and candidates mistakenly think the error is about field names or case sensitivity rather than the missing dataset reference.

How to eliminate wrong answers

Option A is wrong because data model names are case-sensitive but can be in any case; uppercase is not required. Option C is wrong because the field 'action' is a common, allowed field in data models; there is no restriction against it. Option D is wrong because the constraint is not defined at the root level incorrectly; the root level is the correct place for constraints, but the syntax is missing the dataset name prefix.

344
MCQeasy

An admin wants to allow power users to search against a data model but prevent them from modifying its definition. Which permission setting should the admin configure?

A.Grant read permission on the data model to the role.
B.Grant write permission on the data model to the role.
C.Grant search permission on the data model to the role.
D.Assign the data model to the role's default app.
AnswerA

Read permission enables searching without modification rights.

Why this answer

In Splunk, data models are knowledge objects that can be shared via roles. To allow a user to search against a data model without being able to modify it, the admin must grant only read permission on the data model to the role. Read permission enables the user to view and use the data model in searches, while write permission is required to edit or delete it.

Granting search permission is not a valid permission level for data models; Splunk uses read and write as the primary access controls for knowledge objects.

Exam trap

The trap here is that candidates often confuse 'search' permission with read permission, or think that assigning a data model to a default app grants access, when in fact Splunk uses a simple read/write permission model for knowledge objects and app assignment only affects visibility, not authorization.

How to eliminate wrong answers

Option B is wrong because granting write permission on the data model would allow the user to modify its definition, which directly contradicts the requirement to prevent modification. Option C is wrong because there is no 'search' permission for data models; Splunk permissions for knowledge objects are based on read and write, and search access is implicitly granted through read permission. Option D is wrong because assigning the data model to a role's default app controls where the data model appears in the app context, not the user's ability to search or modify it; it does not enforce any permission restrictions.

345
MCQhard

A Splunk administrator notices that a lookup definition named 'assets' is not returning any results in searches even though the CSV file exists and has data. The lookup definition uses the filename 'assets.csv' and the matching field 'ip' matches the event field 'dest_ip'. The search query 'index=main | lookup assets ip AS dest_ip OUTPUT asset_name' returns no asset_name values. What is the most likely cause?

A.The lookup command syntax is incorrect; it should be 'lookup assets dest_ip AS ip'
B.The lookup command is missing the 'name' field; it should be 'lookup assets name AS ip'
C.The user may not have permissions to access the lookup definition; check the knowledge object permissions
D.The command should use 'inputlookup' instead of 'lookup' to load the CSV data
AnswerC

If the user does not have read access to the lookup definition, the lookup will silently return no results.

Why this answer

Option C is correct because the lookup definition exists and the CSV file has data, but the search returns no results, indicating a permissions issue. In Splunk, knowledge objects like lookups have permissions that restrict which roles can use them; if the user's role lacks read access to the 'assets' lookup definition, the lookup command will silently return no results. The syntax and command structure are otherwise correct, so the most likely cause is that the lookup definition's permissions are not set to allow the user's role.

Exam trap

The trap here is that candidates often assume the issue is a syntax error or incorrect field mapping, but Splunk tests the understanding that lookup permissions can silently block results even when the CSV file and definition are correctly configured.

How to eliminate wrong answers

Option A is wrong because the lookup command syntax 'lookup assets ip AS dest_ip' is correct: it maps the lookup field 'ip' to the event field 'dest_ip', which matches the definition. Option B is wrong because there is no 'name' field in the lookup definition; the matching field is 'ip', and the lookup command does not require a 'name' argument. Option D is wrong because 'inputlookup' is used to load the entire CSV as a dataset, not to perform field-based matching in a search; the 'lookup' command is the correct command for enriching events with lookup data.

346
Matchingmedium

Match each data input type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Tails a file or directory for new data

Receives syslog data via UDP or TCP

Runs a script to collect data

Receives data via HTTP or HTTPS

Collects Windows Event Log data

Why these pairings

Input types define how data gets into Splunk.

347
Multi-Selectmedium

Which THREE of the following are valid ways to narrow search results?

Select 3 answers
A.Using the time range picker
B.Deleting events
C.Applying a field filter
D.Changing the source type
E.Adding a search term
AnswersA, C, E

Adjusting time range limits the scope.

Why this answer

Option A is correct because the time range picker in Splunk restricts the search to events within a specified time window, reducing the dataset before the search executes. This is a fundamental way to narrow results by limiting the scope of indexed data that the search head retrieves from indexers.

Exam trap

The trap here is that candidates may confuse 'changing the source type' with filtering, but source type is a parsing directive that affects field extraction, not a filter that narrows the result set.

348
MCQeasy

A security analyst needs to find the number of failed login attempts per user in the last hour. The events contain a field 'result' with value 'failure'. Which search is correct?

A.index=security source=login result=failure | top user
B.index=security source=login result=failure | timechart count by user
C.index=security source=login result=failure | chart count by user
D.index=security source=login result=failure | stats count by user
AnswerD

Correctly groups by user and counts events.

Why this answer

The `stats count by user` command correctly groups events by the `user` field and counts the number of events per user, which directly answers the question of failed login attempts per user. The search first filters events with `index=security`, `source=login`, and `result=failure`, then uses `stats` to aggregate the count per user. This is the most efficient and precise way to produce a table of user-to-failure-count mappings.

Exam trap

Splunk often tests the distinction between `stats`, `chart`, and `timechart` by presenting a scenario where a simple aggregation is needed, and candidates mistakenly choose `chart` or `timechart` because they think any visualization command is required, when in fact `stats` is the correct non-visual aggregation command.

How to eliminate wrong answers

Option A is wrong because `top user` returns the most frequent users sorted by count, but it does not guarantee a count for every user and is designed for ranking, not for a simple per-user count. Option B is wrong because `timechart count by user` creates a time-based chart, which is unnecessary and adds complexity when the requirement is only for the last hour (the time filter is already applied in the search). Option C is wrong because `chart count by user` produces a statistical chart with default splitting, but it is less straightforward than `stats` and may introduce unwanted formatting or limit the output; `stats` is the canonical command for simple group-by counts.

349
MCQmedium

A report is scheduled to run every 5 minutes. After running, it sends an email if the count of errors exceeds 10. Which report action should be configured?

A.Dashboard panel
B.Alert
C.Real-time search
D.Scheduled report with email action and condition
AnswerD

This combines scheduling with conditional email delivery.

Why this answer

Option D is correct because the requirement is for a scheduled report that runs every 5 minutes and conditionally sends an email only when the count of errors exceeds 10. In Splunk, a scheduled report with an email action and a condition allows you to define a search that runs on a schedule, evaluate a numeric condition (e.g., count > 10), and trigger an email only when that condition is met. This is the exact mechanism for conditional email delivery based on report results.

Exam trap

Splunk often tests the distinction between a scheduled report with a condition and an alert, where candidates mistakenly choose 'Alert' because they think any conditional action is an alert, but the question explicitly asks for a 'report action,' which is a feature of scheduled reports, not alerts.

How to eliminate wrong answers

Option A is wrong because a dashboard panel is a visualization element that displays real-time or historical data in a dashboard; it does not have scheduling or conditional email capabilities. Option B is wrong because an Alert is designed for real-time or scheduled monitoring with actions, but it is not a report; the question specifically asks for a 'report action,' and alerts are separate entities that can trigger actions based on search results, not report-specific actions. Option C is wrong because a real-time search continuously streams data without a fixed schedule and cannot be configured to run every 5 minutes or send conditional emails based on a count threshold.

350
MCQeasy

A Splunk user has created a data model for firewall logs and wants to use it to generate a report showing top source IPs. They attempt to run a search using the data model but receive no results, even though a simple search over the same index returns many events. What is the most likely cause?

A.The user lacks the 'run_data_model' capability.
B.The data model has not been accelerated, and the user is using |tstats without the 'summariesonly=t' option.
C.The time range is outside the data model's acceleration summary.
D.The data model definition contains a syntax error in the constraint field.
AnswerB

|tstats by default uses acceleration summaries; if not accelerated, returns 0.

Why this answer

Option B is correct because when a data model is not accelerated, the `|tstats` command cannot query it directly unless the `summariesonly=t` argument is used, which forces the search to look only at accelerated summaries. Without acceleration, `|tstats` returns no results because it expects precomputed summary data. A simple search over the same index works because it queries raw events directly, bypassing the data model's summary structure.

Exam trap

The trap here is that candidates often assume `|tstats` can always query any data model directly, forgetting that it requires precomputed acceleration summaries to return results.

How to eliminate wrong answers

Option A is wrong because the 'run_data_model' capability does not exist; the relevant capability for using data models is 'dm_model' or 'list_data_models', and lacking a capability would typically produce an error message, not empty results. Option C is wrong because if the time range were outside the acceleration summary, `|tstats` with `summariesonly=t` would still return results from the accelerated range (if any) or an empty set, but the question states no results at all, and the user is not using `summariesonly=t`. Option D is wrong because a syntax error in the data model's constraint field would cause the data model to fail to validate or save, not silently return zero results when queried.

351
MCQmedium

Refer to the exhibit. A user runs this search to get details about a saved search. The results show empty values for the actions types. What is the most likely reason?

A.The rest endpoint does not return actions data.
B.The spath command cannot parse the multivalue actions field correctly without mvexpand.
C.The search title filter is too restrictive.
D.The saved search has no actions configured.
AnswerB

Correct. spath works on single JSON objects; actions is a list, so mvexpand is needed.

Why this answer

The spath command is used incorrectly. The actions field is a multivalue field containing action objects. The spath command expects a single JSON object per event, but actions is a list.

To extract action types, you might need to mvexpand first.

352
MCQhard

A lookup table has been defined with `max_matches = 5`. What does this setting do?

A.It limits the number of fields output from the lookup.
B.It creates a maximum of 5 lookup files.
C.It limits the lookup to return at most 5 results per event.
D.It limits the lookup to match only 5 events.
AnswerC

Controls matches per event.

Why this answer

Option C is correct because the `max_matches` parameter in a Splunk lookup definition controls how many matching rows from the lookup table are appended to a single event. When set to 5, Splunk will return at most 5 lookup results for each event that matches the lookup criteria, preventing excessive field duplication.

Exam trap

The trap here is confusing `max_matches` (per-event row limit) with `max_offset` or `max` parameters that limit the total number of events or results in a search, leading candidates to incorrectly choose Option D.

How to eliminate wrong answers

Option A is wrong because `max_matches` does not limit the number of fields output; it limits the number of rows (results) returned per event, while field selection is controlled by the lookup definition's field mapping or the `fields` parameter. Option B is wrong because `max_matches` has nothing to do with creating lookup files; it is a runtime behavior setting for an existing lookup table, not a file creation limit. Option D is wrong because `max_matches` limits results per event, not the total number of events that can be matched; the lookup will still attempt to match all events in the search results.

353
MCQeasy

A user wants to create a lookup table to enrich events with customer information. Which file format is NOT supported for a classic CSV-based lookup?

A.TSV
B.XLSX
C.CSV
D.JSON
AnswerB

XLSX is not supported; must be converted to CSV.

Why this answer

Classic CSV-based lookups in Splunk only support delimited text files such as CSV (comma-separated) and TSV (tab-separated). XLSX is a binary Excel format that is not supported for classic CSV-based lookups; it requires a different lookup type (e.g., a KV store lookup or a scripted lookup) or must be converted to CSV first.

Exam trap

Splunk often tests the distinction between file formats that are 'text-based delimited' (CSV, TSV) versus 'binary or structured' (XLSX, JSON) to see if candidates confuse the classic CSV-based lookup with other lookup types that support JSON or Excel via KV store or scripted lookups.

How to eliminate wrong answers

Option A is wrong because TSV (tab-separated values) is a valid delimited text format that Splunk can parse as a classic CSV-based lookup when the delimiter is set to tab. Option C is wrong because CSV (comma-separated values) is the primary format for classic CSV-based lookups. Option D is wrong because JSON is not a delimited text format; it is a structured data format that Splunk supports via KV store lookups or as a lookup table file only when using the JSON lookup type, not the classic CSV-based lookup.

354
MCQeasy

A security analyst uses Splunk to ingest firewall logs from multiple locations. The index is 'firewall' and the sourcetype is 'fw_log'. Each event contains fields: src_ip, dest_ip, action, bytes, and time. The analyst needs to find how many unique source IPs have been logged in the last hour to report potential scanning activity. The search should be efficient and accurate, returning only the total count of distinct source IPs. Which search accomplishes this?

A.index=firewall sourcetype=fw_log earliest=-1h | dedup src_ip | stats count as UniqueIPs
B.index=firewall sourcetype=fw_log earliest=-1h | top src_ip | stats count as UniqueIPs
C.index=firewall sourcetype=fw_log | timechart dc(src_ip) span=1h
D.index=firewall sourcetype=fw_log earliest=-1h | stats dc(src_ip) as UniqueIPs
AnswerD

This correctly filters the last hour and computes the distinct count of src_ip.

Why this answer

Option D is correct because it uses the `stats dc(src_ip)` command, which directly calculates the distinct count of source IPs in a single, efficient pass over the data. The `earliest=-1h` time filter restricts the search to the last hour, and the `as UniqueIPs` alias provides the exact output requested: a single number representing the total count of unique source IPs.

Exam trap

The trap here is that candidates often confuse `dedup` with `distinct count` or think `top` can be adapted to count unique values, but only `stats dc()` directly and efficiently returns the exact count of distinct field values without additional post-processing.

How to eliminate wrong answers

Option A is wrong because `dedup src_ip` removes duplicate events based on src_ip but then `stats count` counts the remaining events, not the distinct IPs; this is inefficient and can be inaccurate if multiple events share the same src_ip but have different other fields. Option B is wrong because `top src_ip` returns a table of the most common src_ip values with their counts, not a single count of unique IPs; it also requires additional processing to extract the total distinct count. Option C is wrong because `timechart dc(src_ip) span=1h` produces a time-based chart with a count per hour, not a single total count for the last hour; it also lacks the `earliest=-1h` time filter, so it would include all historical data.

355
Multi-Selectmedium

Which TWO of the following are valid methods to change the time range of a search in Splunk Web? (Choose two.)

Select 2 answers
A.Select the 'All time' preset.
B.Add relative time modifiers like earliest=-1h to the search string.
C.Change the default time range in the index settings.
D.Use the Time Range Picker dropdown above the search bar.
E.Manually type earliest and latest times in the search bar.
AnswersB, D

Correct: Modifiers override the picker.

Why this answer

Options B and D are correct because the Time Range Picker is the primary method, and using relative time modifiers (e.g., earliest=-1h) in the search string also changes the range. Option A is incorrect because manually entering earliest/latest in the search bar is not standard; time modifiers must be used. Option C is incorrect because 'All time' is a preset within the Time Range Picker, not a separate method.

Option E is incorrect because changing the default index time does not affect the search time range.

356
MCQhard

Refer to the exhibit. An administrator notices that searches against the 'sample_index' index return events older than 24 hours, while searches against other indexes do not. What is the most likely explanation?

A.The maxGlobalTimeFieldSec setting for 'sample_index' is much higher than the default.
B.The default stanza sets a maxGlobalTimeFieldSec that applies to all indexes, but is overridden incorrectly.
C.The index 'sample_index' has a replication factor set that allows older data.
D.The search time range is configured in the search itself to include older data for that index.
AnswerA

maxGlobalTimeFieldSec limits the time window for searches; a higher value allows older events.

Why this answer

Option B is correct because the setting maxGlobalTimeFieldSec for sample_index is set to 604800 seconds (7 days), allowing older events to be returned. The default of 3600 seconds (1 hour) restricts other indexes. Option A is wrong because repFactor is for replication, not time retention.

Option C is wrong because there is no maxTimeFieldSec in the default stanza. Option D is wrong because the search time range is not configured in this file.

357
MCQmedium

A security team needs to create a report that shows the number of distinct users who triggered a firewall block each day for the past 30 days. Which search and visualization combination should be used?

A.Use `dc(user)` with `chart` and a column chart
B.Use `top user` with `timechart` and a pie chart
C.Use `dc(user)` with `timechart` and a column chart
D.Use `count` with `chart` and a bar chart
AnswerC

Correctly counts distinct users per day over time.

Why this answer

Option C is correct because `dc(user)` calculates the distinct count of users, and `timechart` automatically groups results by time (e.g., per day) over the specified 30-day range. A column chart is the appropriate visualization for displaying discrete daily counts, as it clearly shows trends over time.

Exam trap

The trap here is confusing `dc(user)` with `count` or `top`, and assuming `chart` can replace `timechart` for time-based aggregation, when only `timechart` automatically handles time bucketing and produces a proper time axis for column charts.

How to eliminate wrong answers

Option A is wrong because `chart` without a time-based split does not automatically produce daily buckets; it would require an explicit `by` clause for time, and a column chart is not ideal for time-series data without proper time axis. Option B is wrong because `top user` returns the most frequent users, not a distinct count per day, and `timechart` with a pie chart is invalid since pie charts cannot display time-series data. Option D is wrong because `count` counts all events, not distinct users, and `chart` without a time-based grouping does not produce daily results; a bar chart is also inappropriate for time-series trends.

358
MCQhard

A search uses `eval memory_MB = memory_bytes / 1024 / 1024`. The field memory_bytes contains values like '2,048,000'. The eval results memory_MB is often null. What is the most likely cause?

A.The eval command has a syntax error.
B.The field is actually a string with commas.
C.The field needs to be converted first.
D.The division operator does not work on string fields.
AnswerB

Commas cause the string to be non-numeric, leading to null results in division.

Why this answer

Option B is correct because the `memory_bytes` field contains values like '2,048,000', which include commas. In Splunk, fields with commas are treated as strings, not numeric values. When `eval` attempts arithmetic division on a string field, it returns null because the operation cannot be performed on non-numeric data.

The commas must be removed (e.g., using `replace` or `tonumber`) before the field can be used in calculations.

Exam trap

Splunk often tests the misconception that Splunk automatically handles commas in numeric fields, leading candidates to overlook the need to explicitly remove non-numeric characters before arithmetic operations.

How to eliminate wrong answers

Option A is wrong because the `eval` command syntax is correct: `eval memory_MB = memory_bytes / 1024 / 1024` is valid Splunk syntax. Option C is wrong because the field does not need to be 'converted first' in a generic sense—the specific issue is that the commas make it a string, not that the field type is inherently incompatible. Option D is wrong because the division operator does work on string fields that contain numeric values without commas (Splunk auto-converts them), but it fails when the string contains non-numeric characters like commas.

359
Matchingmedium

Match each Splunk component to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Processes incoming data and stores it in indexes

Handles search requests and distributes to indexers

Sends data to indexers or other forwarders

Manages configuration of forwarders

Manages license usage across the deployment

Why these pairings

These are key components in a Splunk deployment.

360
MCQmedium

Which tab in the Search app should be used to view the raw events in their original format?

A.Patterns
B.Statistics
C.Events
D.Visualization
AnswerC

Displays each event as indexed with all fields.

Why this answer

The Events tab in the Search app displays raw events in their original format, showing the complete log line as indexed by Splunk. This tab is the default view when running a search and provides the full event data without any aggregation or transformation.

Exam trap

The trap here is that candidates confuse the Events tab with the Statistics tab, thinking that raw data is shown in Statistics because it displays numerical results, but raw events are only visible in the Events tab.

How to eliminate wrong answers

Option A is wrong because the Patterns tab groups events by common structural patterns (like log formats or timestamps), not raw event content. Option B is wrong because the Statistics tab shows aggregated, computed results (e.g., counts, averages) from transforming commands like stats or timechart, not raw events. Option D is wrong because the Visualization tab renders charts, graphs, or other visual representations of statistical data, not the original raw event text.

361
MCQmedium

A security analyst wants to investigate a suspicious IP address that appeared in multiple log sources. Which Splunk feature is best suited to quickly find all events containing that IP across all indexed data?

A.Data Summary
B.Dashboard panel
C.Alert action
D.Search bar in the Search & Reporting app
AnswerD

The search bar allows running a query across all data.

Why this answer

The Search bar in the Search & Reporting app is the primary interface for running ad-hoc searches across all indexed data. By entering the suspicious IP address directly into the search bar, the analyst can quickly retrieve all events containing that IP from any log source, leveraging Splunk's search-time field extraction and index-time data ingestion.

Exam trap

The trap here is that candidates may confuse the Data Summary's data source overview with a search capability, but Data Summary only shows metadata about data inputs, not the ability to query event content.

How to eliminate wrong answers

Option A is wrong because Data Summary provides a high-level overview of data sources, sourcetypes, and hosts, but does not allow searching for specific field values like an IP address. Option B is wrong because a Dashboard panel displays pre-configured visualizations based on saved searches, not an interactive tool for ad-hoc investigation of a specific IP. Option C is wrong because Alert actions are triggered by scheduled or real-time searches to send notifications, not designed for manually searching across all data.

362
MCQeasy

Refer to the exhibit. What is the effect of this command?

A.Configures a data output to the specified server
B.Restarts Splunk
C.Enables SSL for forwarding
D.Adds a forwarder to receive data
AnswerA

It defines a target indexer to forward data to.

Why this answer

This command configures the current Splunk instance to forward data to the specified server at 192.168.1.10:9997. It sets up a forwarding output destination.

363
Multi-Selecthard

Which THREE of the following are valid uses of the 'eval' command? (Choose three.)

Select 3 answers
A.Grouping events by a field: eval by host
B.Concatenating two strings: eval fullname = firstname + " " + lastname
C.Sorting events by a field: eval sort by _time
D.Calculating a ratio: eval ratio = count / total
E.Creating a conditional field: eval status = if(error > 0, "Error", "OK")
AnswersB, D, E

String concatenation is valid.

Why this answer

Option B is correct because the 'eval' command can concatenate strings using the plus (+) operator, as shown in the example 'eval fullname = firstname + " " + lastname'. This creates a new field 'fullname' by combining the values of 'firstname', a space, and 'lastname'.

Exam trap

Splunk often tests the distinction between 'eval' for per-event calculations and commands like 'stats' or 'sort' for cross-event operations, leading candidates to mistakenly think 'eval' can group or sort events.

364
Multi-Selecteasy

Which TWO of the following are valid methods to convert a saved search into a report in Splunk?

Select 2 answers
A.On the search results page, click the 'Save As' button and select 'Report'.
B.Open the saved search, click 'Edit', then select 'Convert to Dashboard Panel'.
C.Click 'Reports' in the app bar, then 'Create New Report', and select 'From an existing saved search'.
D.From the 'Saved Searches' page, edit the search and choose 'Save As Report' from the Actions menu.
E.From the 'Job Manager', select the job and click 'Convert to Report'.
AnswersC, D

This is another valid method to convert a saved search to a report.

Why this answer

Option C is correct because Splunk provides a dedicated workflow to create a report from an existing saved search via the 'Reports' page. By clicking 'Create New Report' and selecting 'From an existing saved search', you can directly convert the saved search's query and settings into a report object, preserving the search logic and scheduling. This method is explicitly supported in Splunk's UI for report creation.

Exam trap

The trap here is that candidates may confuse the 'Save As' button on the search results page (which works for ad hoc searches) with the dedicated saved-search-to-report conversion path, or mistakenly think the 'Job Manager' or 'Convert to Dashboard Panel' options are valid for creating a report.

365
MCQeasy

A new Splunk admin wants to reduce the time it takes to run reports on a large dataset. They have enabled acceleration on a data model. Which of the following is a best practice to maximize acceleration benefits?

A.Add more indexers to the cluster to increase the speed of data model acceleration.
B.Limit the data model to only the most recent 7 days of data to reduce summary size.
C.Create a separate acceleration summary for each search using the |accelerate command.
D.Enable acceleration on the data model and schedule a periodic summary rebuild.
AnswerD

Acceleration precomputes summaries, and scheduling rebuilds ensures timeliness.

Why this answer

Option D is correct because enabling acceleration on a data model and scheduling a periodic summary rebuild ensures that the acceleration summaries are kept up-to-date without manual intervention. This maximizes the benefit of acceleration by pre-computing aggregations for the data model's root search, allowing reports to run against the smaller, optimized summary rather than the raw dataset, which significantly reduces query time.

Exam trap

Splunk often tests the misconception that acceleration requires manual per-search commands or that scaling infrastructure alone solves performance issues, but the correct approach is to leverage Splunk's built-in data model acceleration with a scheduled rebuild to automate summary maintenance.

How to eliminate wrong answers

Option A is wrong because adding more indexers improves indexing and search distribution, but it does not directly reduce the time to run reports on an accelerated data model; acceleration works by pre-computing summaries on the search head, not by scaling indexers. Option B is wrong because limiting the data model to only the most recent 7 days of data would exclude historical data from reports, which may not meet business requirements; acceleration can be applied to any time range, and the summary size is managed by the acceleration's time range and granularity settings, not by artificially restricting the data model. Option C is wrong because the |accelerate command does not exist in Splunk; acceleration is configured on data models or reports via the 'Acceleration' settings in the UI or through the 'datamodel accelerate' command, and creating a separate summary for each search would be inefficient and is not a supported best practice.

366
Multi-Selectmedium

Which four of the following are best practices for working with data models in Splunk? (Choose four.)

Select 4 answers
.Use acceleration to improve search performance on large datasets.
.Design data models to match the structure of your raw data as closely as possible.
.Use constraints in data model definitions to limit the scope of events included.
.Create separate data models for distinct use cases or data sources.
.Avoid using calculated fields within data models to reduce complexity.
.Regularly review and update data models to reflect changes in data sources.

Why this answer

Null is correct because data model acceleration pre-computes and stores summaries of the data, dramatically reducing search time on large datasets. This is a core best practice for optimizing performance when working with data models in Splunk.

Exam trap

Splunk often tests the misconception that data models should mirror raw data structure, but Splunk best practices emphasize designing models for analytics and normalization, not raw data fidelity.

367
MCQmedium

A dashboard includes a time range picker. When a user selects 'Last 7 days', one panel does not update its data accordingly. What is the most likely cause?

A.The panel has insufficient permissions to access the data.
B.The panel's search uses a hard-coded time range like earliest=-30d.
C.The dashboard time picker is set to 'All time'.
D.The panel is based on a scheduled report.
AnswerB

Hard-coded time ranges override the dashboard time picker.

Why this answer

When a dashboard has a time range picker, each panel's search must reference the picker's time tokens (e.g., `$time$` or `$earliest$`/`$latest$`) to dynamically inherit the selected range. Option B is correct because a hard-coded time range like `earliest=-30d` overrides the picker, causing the panel to ignore the user's selection of 'Last 7 days' and always show data from the last 30 days.

Exam trap

Splunk often tests the distinction between a dashboard-level time picker setting and a panel-level search override; the trap here is that candidates may think the picker itself is misconfigured (Option C) when the real issue is a hard-coded time range in the panel's search string.

How to eliminate wrong answers

Option A is wrong because insufficient permissions would cause a data access error or blank results, not a failure to update when the time range changes; permissions are unrelated to time token inheritance. Option C is wrong because the dashboard time picker being set to 'All time' would affect all panels uniformly, not cause a single panel to ignore the picker; the issue is panel-level override, not picker-level setting. Option D is wrong because a panel based on a scheduled report can still respect the time picker if its search uses time tokens; the scheduled report itself does not inherently prevent dynamic time updates.

368
Multi-Selecthard

Which TWO factors should be considered when deciding to use the rare command instead of top?

Select 2 answers
A.The dataset has high cardinality in the field of interest
B.Rare is faster than top
C.Top is always preferred for security analysis
D.The analysis goal is to identify infrequent values
E.The user wants to view results sorted alphabetically
AnswersA, D

Rare can help in high cardinality fields to find unusual occurrences.

Why this answer

Option A is correct because the `rare` command is specifically designed to return the least common values of a field, making it ideal for high-cardinality fields where the `top` command would produce a long, less useful list of many low-frequency values. When a field has high cardinality (many unique values), `rare` helps surface the infrequent events that might be missed by `top`, which focuses on the most frequent values. This aligns with the use case of identifying outliers or anomalies in datasets with many distinct field values.

Exam trap

The trap here is that candidates may assume `rare` is faster or always better for security, but the question specifically tests the understanding that `rare` is chosen based on analysis goals (finding infrequent values) and field cardinality, not performance or blanket preferences.

369
MCQeasy

A security analyst wants to count the number of unique users who have logged in over the past week. Which field-based command should they use?

A.index=main sourcetype=login | stats sum(user)
B.index=main sourcetype=login | dedup user | stats count
C.index=main sourcetype=login | stats count by user
D.index=main sourcetype=login | top user
AnswerB

Dedup removes duplicate users, then stats count gives the number of unique users.

Why this answer

Option B is correct because it first uses `dedup user` to remove duplicate user values, leaving only unique users, and then `stats count` to count the remaining events, which effectively counts the number of unique users who logged in over the past week. This approach ensures each user is counted only once, meeting the requirement for a unique count.

Exam trap

The trap here is that candidates often confuse `stats count by user` (which groups by user) with counting unique users, or they incorrectly use `sum` on non-numeric fields, leading them to choose options that do not produce a single unique count.

How to eliminate wrong answers

Option A is wrong because `sum(user)` attempts to sum string values, which is invalid and will not produce a count of unique users; it would cause an error or return 0. Option C is wrong because `stats count by user` counts the number of events per user, not the number of unique users; it returns a table of users with their event counts, not a single total. Option D is wrong because `top user` lists the most frequent users based on event count, not the count of unique users; it focuses on frequency rather than uniqueness.

370
Multi-Selecteasy

Which TWO are benefits of using data model acceleration? (Choose two.)

Select 2 answers
A.Reduced time to run complex aggregations and statistical searches.
B.Faster search performance on large datasets.
C.Reduced disk space usage by compressing indexed data.
D.Eliminates the need for data indexing by using summary data.
E.Simplified data model design by automatically optimizing relationships.
AnswersA, B

Acceleration avoids scanning all raw data.

Why this answer

Option A is correct because data model acceleration pre-computes and stores aggregated data in the form of summaries (`.tsidx` files), which drastically reduces the time needed to run complex statistical and aggregation searches like `stats`, `timechart`, or `top`. Instead of scanning raw events, Splunk queries these pre-built summaries, enabling sub-second response times for large datasets.

Exam trap

Splunk often tests the misconception that acceleration compresses data or reduces disk usage, but in reality it trades disk space for query speed by storing redundant summary data.

371
MCQmedium

Refer to the exhibit. A user runs a search with `| lookup excel_lookup product_id OUTPUT sales_rep`. For a product_id that exists in the CSV but with a different case (e.g., "ABC123" vs "abc123"), what will be the value of the `sales_rep` field after the lookup?

A.The correct sales_rep from the lookup.
B.An error because case mismatch.
C."N/A" because the case does not match and default_match is set.
D.An empty string because no match.
AnswerC

default_match is used.

Why this answer

Option B is correct because case_sensitive_match=true means the cases must match exactly. Since there is no exact match, the lookup will use the default_match value, which is "N/A". Option A is wrong because case differs.

Option C wrong because empty string is not used. Option D wrong because no error occurs.

372
Multi-Selecthard

Which TWO options are correct about post-process searches in dashboards?

Select 2 answers
A.They can reduce search load by reusing base search results
B.They support all SPL commands that base searches support
C.They can be used only within the same dashboard
D.They can override the time range of the base search
E.They automatically inherit all fields from the base search
AnswersA, C

Post-process searches operate on the base search results, avoiding redundant data retrieval.

Why this answer

Options A and D are correct. Post-process searches reuse base search results, reducing load, and they can only be used within the same dashboard. Option B is false because not all commands are supported; Option C is false because not all fields are inherited; Option E is false because they cannot override the base search time range.

373
MCQeasy

An administrator wants to list all data models in the current app and see their acceleration status. Which command should they use?

A.| datamodel info
B.| datamodel list
C.| datamodel search
D.| datamodel show
AnswerB

This lists all data models with acceleration status.

Why this answer

The `| datamodel list` command is the correct choice because it lists all data models in the current app context and displays their acceleration status, including whether acceleration is enabled, the acceleration schedule, and the last build time. This command is specifically designed for inventory and status reporting of data models, not for searching or inspecting individual model details.

Exam trap

The trap here is that candidates confuse `| datamodel list` with `| datamodel` (which outputs XML) or `| datamodel search` (which runs a search against a model), leading them to pick a command that either doesn't exist or serves a different purpose.

How to eliminate wrong answers

Option A is wrong because `| datamodel info` is not a valid Splunk command; the correct command for viewing details of a specific data model is `| datamodel` with the model name, but it does not list all models or show acceleration status. Option C is wrong because `| datamodel search` is used to search against a data model's fields (e.g., `| datamodel <model_name> search`) and does not list models or show acceleration status. Option D is wrong because `| datamodel show` is not a valid Splunk command; the closest valid command is `| datamodel` with no subcommand, which outputs the data model's XML definition, not a list of all models with acceleration status.

374
MCQhard

An analyst executes the following search: index=main sourcetype=access | stats dc(user) by host. What does dc(user) do?

A.Count of hosts
B.Distinct count of users per host
C.Count of all users
D.Sum of user IDs
AnswerB

dc(user) by host returns the number of unique users for each host.

Why this answer

The `dc(user)` function in SPL stands for 'distinct count' of the `user` field. When used after `stats ... by host`, it calculates the number of unique users associated with each host. This is why option B is correct: it returns the distinct count of users per host.

Exam trap

The trap here is that candidates confuse `dc()` with `count()` or `sum()`, thinking it returns a total count of events or a sum of values, rather than understanding it performs a distinct count of field values per group.

How to eliminate wrong answers

Option A is wrong because `dc(user)` counts unique users, not hosts; the `by host` clause groups results by host, but the aggregation is on the user field. Option C is wrong because `dc(user)` does not count all users across the entire result set; it counts distinct users per group (per host), not a global total. Option D is wrong because `dc(user)` performs a distinct count, not a sum; summing user IDs would be meaningless and is not what the `dc()` function does.

375
Multi-Selectmedium

Which THREE actions are possible when editing a dashboard in Studio?

Select 3 answers
A.Set a custom time range for the dashboard.
B.Edit the underlying search of a report used in a panel.
C.Add custom CSS to style the dashboard.
D.Convert a static panel to a form input.
E.Export the dashboard as a PDF from the editor.
AnswersA, C, D

Yes, in dashboard properties.

Why this answer

Option A is correct because in Splunk Dashboard Studio, you can set a custom time range for the entire dashboard via the 'Time Range' picker in the editor. This overrides the default time range and applies to all panels that do not have their own explicit time range set, allowing consistent temporal scoping across the dashboard.

Exam trap

Splunk often tests the misconception that you can edit a report's search directly from Dashboard Studio, when in fact reports are separate entities that must be modified independently.

Page 4

Page 5 of 7

Page 6

All pages