CCNA Creating Reports, Dashboards and Visualizations Questions

48 of 123 questions · Page 2/2 · Creating Reports, Dashboards and Visualizations · Answers revealed

76
MCQhard

A large enterprise Splunk environment has a heavy forwarder sending 2 TB of log data per day. An operator builds a dashboard that displays a real-time chart of events per second across all data sources, using the search 'index=* | stats count by sourcetype' with a real-time window of last 10 minutes. The dashboard is extremely slow, often timing out. The operator suspects the search is too broad. Which optimization strategy should be implemented first?

A.Replace the real-time search with a base search that runs every 10 minutes
B.Implement a summary index that aggregates events per second by sourcetype every minute, and have the dashboard search the summary index
C.Change the real-time window to a 10-minute historical search and enable report acceleration
D.Create a data model for all sourcetypes and use acceleration on the data model
AnswerB

Summary indexing pre-computes aggregated data, drastically reducing search volume.

Why this answer

Option B is correct because a summary index pre-aggregates the events-per-second data by sourcetype at a regular interval (e.g., every minute), drastically reducing the data volume the dashboard must scan. Instead of processing 2 TB of raw logs in real time, the dashboard queries a small, precomputed table, eliminating the performance bottleneck caused by the heavy forwarder's high ingestion rate.

Exam trap

Splunk often tests the misconception that report acceleration or data model acceleration can solve real-time performance issues, but these features are designed for historical searches and pivot-based reporting, not for reducing the raw data volume in near-real-time dashboards.

How to eliminate wrong answers

Option A is wrong because replacing a real-time search with a base search that runs every 10 minutes still forces the search to scan all raw data (2 TB per day) each time it runs, which does not reduce the computational load and can still cause timeouts. Option C is wrong because enabling report acceleration on a 10-minute historical search still requires Splunk to scan the full raw data index for that window, and report acceleration is designed for longer-term historical searches, not for near-real-time dashboards with high-volume data. Option D is wrong because a data model with acceleration still requires the underlying raw data to be searched and summarized on the fly for real-time queries; data model acceleration is optimized for pivot-based reporting, not for real-time event-per-second calculations across all sourcetypes.

77
Multi-Selecteasy

Which TWO options are valid when adding a panel to a dashboard from an existing report? (Choose two.)

Select 2 answers
A.The panel can be added as a table, chart, or single value based on the report's results.
B.The panel can only be added to the same app where the report was created.
C.The report is added as a link to the dashboard.
D.The report's search string is used as the panel's search, but it can be modified after adding.
E.The report's scheduled run time is inherited by the dashboard.
AnswersA, D

When adding from a report, you select the visualization type.

Why this answer

Option A is correct because when you add a panel from an existing report to a dashboard, Splunk allows you to choose the visualization type (table, chart, or single value) based on the report's results. This flexibility lets you reuse the report's data while customizing how it is displayed on the dashboard.

Exam trap

The trap here is that candidates often confuse 'adding a panel from a report' with 'adding a report as a link' or assume the report's scheduling applies to the dashboard, when in fact the search is embedded and the panel's behavior is decoupled from the original report's schedule and app context.

78
MCQhard

Refer to the exhibit. A user runs this search and the resulting timechart shows multiple lines, one for each host. The user wants to show only the top 3 hosts by total count. Which modification achieves this?

A.Add | top 3 host before timechart
B.Add | top 3 host after timechart
C.Add | where host in (select top 3) after timechart
D.Add | head 3 after timechart
AnswerA

This reduces data to top 3 hosts first.

Why this answer

Option A is correct because the `top 3 host` command, when placed before `timechart`, calculates the top 3 hosts by total count across the entire search timeframe, then passes only those three hosts to the `timechart` command. This ensures the timechart displays exactly three lines, one for each of the top hosts, based on their overall event count.

Exam trap

Splunk often tests the order of piped commands in Splunk, and the trap here is that candidates mistakenly think `top` or `head` can be applied after `timechart` to limit the number of lines, not realizing that `timechart` already creates a separate series for each distinct value of the split-by field, and post-commands like `head` only limit rows (time buckets), not series.

How to eliminate wrong answers

Option B is wrong because placing `top 3 host` after `timechart` would attempt to apply the `top` command to the timechart results, which are already aggregated into time-series data; this would not filter the original hosts before the timechart, so all hosts would still appear in the visualization. Option C is wrong because `where host in (select top 3)` is not valid SPL syntax; there is no subquery or `select` statement in Splunk's search language, and this would cause a parsing error. Option D is wrong because `head 3` after `timechart` would simply return the first three rows of the timechart results (likely the earliest three time buckets), not the top three hosts by count, and would not reduce the number of lines in the chart.

79
MCQeasy

A security team wants to monitor the count of failed login attempts over the past week. They need a simple at-a-glance number. Which visualization type should they use?

A.Line chart
B.Bar chart
C.Pie chart
D.Single Value
AnswerD

Single Value is designed to show a single metric prominently.

Why this answer

A Single Value visualization is the correct choice because it displays a single, aggregated number prominently, making it ideal for an at-a-glance metric like the count of failed login attempts over the past week. In Splunk, you can use a stats or timechart command to calculate the total count and then render it as a Single Value, which shows just the number without any trend or distribution detail.

Exam trap

The trap here is that candidates often overthink and choose a chart type (like Line or Bar) because they associate monitoring with trends, forgetting that the requirement is specifically for a single at-a-glance number, not a pattern over time.

How to eliminate wrong answers

Option A is wrong because a Line chart is designed to show trends over time, not a single aggregated count, and would require time-series data to be meaningful. Option B is wrong because a Bar chart is used for comparing values across categories or time periods, which adds unnecessary complexity for a simple total count. Option C is wrong because a Pie chart is meant for showing proportions of a whole, not a single numeric value, and would be misleading if used for a single metric.

80
MCQmedium

A dashboard uses a base search and a post-process search that modifies the fields. When the base search returns no results, the panel shows an error. How can this be handled?

A.Use the default attribute on the post-process search to provide fallback results
B.Use the depends attribute on the panel and set a token in the base search when results exist
C.Reset the base search to return at least one result
D.Set the panel refresh to a higher interval
AnswerB

This conditionally hides the panel when the base search returns no results, preventing the error.

Why this answer

Option B is correct because the `depends` attribute on a panel allows you to conditionally show or hide the panel based on whether a token is set. By setting a token (e.g., `results_exist`) in the base search only when results are returned, the panel will be hidden when the base search returns no results, preventing the error. This is the standard Splunk approach to handle empty base search results in post-process searches.

Exam trap

Splunk often tests the misconception that you can use a `default` attribute or modify the base search to force results, when in reality the correct approach is to use token-based conditional rendering with the `depends` attribute to hide the panel when no data exists.

How to eliminate wrong answers

Option A is wrong because the `default` attribute on a post-process search does not exist; post-process searches cannot have fallback results defined via an attribute, and they rely entirely on the base search's output. Option C is wrong because resetting the base search to return at least one result is not a valid solution—you cannot force a search to return results if the data doesn't exist, and doing so would corrupt the dashboard's accuracy. Option D is wrong because setting the panel refresh to a higher interval does not address the root cause of the error; it only changes how often the search runs, but if the base search still returns no results, the error will persist on each refresh.

81
MCQhard

A dashboard has multiple panels that use the same base search. The admin wants to avoid running the same search multiple times. Which feature should be used?

A.Post-process search
B.Report acceleration
C.Data model
D.Summary indexing
AnswerA

Post-process searches share a common base search, running it once for multiple panels.

Why this answer

Option A is correct because post-process searches allow a dashboard panel to run a secondary search against the results of a base search, rather than re-running the original search against the index. This avoids redundant data retrieval and processing, as the base search runs once and its results are stored in a results server, which subsequent post-process searches query using the `| search` command or similar filtering.

Exam trap

The trap here is that candidates often confuse post-process searches with report acceleration or summary indexing, thinking any caching mechanism will work, but only post-process searches directly reuse a single base search's result set across multiple panels without additional index queries.

How to eliminate wrong answers

Option B is wrong because report acceleration pre-computes and stores aggregated results for a single report or search, but it does not enable multiple panels to share a single base search result; each accelerated report still runs its own search against the index. Option C is wrong because a data model defines a hierarchical, persistent schema over indexed data and is used for pivot-based reporting, not for sharing a live base search result across panels; it requires separate searches or pivot queries to generate data. Option D is wrong because summary indexing saves the results of a search to a summary index for later use, but it requires explicit scheduling and writing to a separate index, and panels would need to search that summary index independently, not directly share the same base search result in real time.

82
MCQmedium

A financial analyst creates a dashboard in Splunk Web to track daily transaction volumes. The dashboard has three panels: a table of top 10 merchants by transaction count, a bar chart of transactions by hour, and a single value showing total transaction amount. All panels use the same base search from the 'transactions' index. The analyst is in the 'finance' role. The dashboard runs fine in the analyst's session, but when the analyst shares the dashboard with the 'auditor' role, the auditor sees no data in any panel. The auditor role has read access to the dashboard and the 'transactions' index. What is the most likely cause?

A.The base search used in the dashboard's panels is a saved search owned by the analyst, and the 'auditor' role does not have permissions to that saved search
B.The 'auditor' role does not have read access to the 'transactions' index
C.The dashboard's permission is set to 'private' and only the analyst can view it
D.The dashboard is set to run as the 'finance' role, and the 'auditor' role lacks the 'rbac_perm' privilege
AnswerA

If the base search is saved and owned by the analyst, other roles need explicit read permission on that search object.

Why this answer

Option A is correct because the base search is a saved search owned by the analyst. When a dashboard uses a saved search as its base search, Splunk enforces permissions on that saved search object. Even though the auditor role has read access to the 'transactions' index, if the saved search itself is not shared with the auditor role (e.g., it remains private to the analyst), the dashboard panels will fail to retrieve data for the auditor.

This is a common permission scoping issue in Splunk where data access is gated by the saved search object, not just the index.

Exam trap

Splunk often tests the misconception that index-level read access alone guarantees data visibility in dashboards, ignoring the separate permission layer on saved search objects used as base searches.

How to eliminate wrong answers

Option B is wrong because the question explicitly states the auditor role has read access to the 'transactions' index, so index-level permissions are not the issue. Option C is wrong because if the dashboard were private, the analyst could not share it at all; the auditor can see the dashboard (no data), so the dashboard itself is shared. Option D is wrong because there is no 'rbac_perm' privilege in Splunk; dashboards can be set to run as a specific role via 'run as' permissions, but the core issue here is the saved search ownership, not a missing privilege name that doesn't exist.

83
MCQhard

Refer to the exhibit. The dashboard panel shows a column chart of bytes by protocol for the last 24 hours. However, the chart shows only one column. What is the most likely cause?

A.The search returns only one result row
B.The chart type cannot display multiple columns
C.The protocol field is not extracted
D.The time range is not wide enough
AnswerA

A single result row means one unique protocol, hence one column.

Why this answer

Option A is correct because a column chart in Splunk displays one column per distinct value of the x-axis field. If the search returns only one result row (e.g., a single protocol value such as 'HTTP' with a total byte count), the chart will render a single column. This typically occurs when the search uses a stats or timechart command that groups by a field with only one unique value, or when a filter like `protocol=*` inadvertently matches only one protocol.

Exam trap

Splunk often tests the misconception that a single column indicates a data extraction problem (like field not extracted) or a visualization limitation, when the real issue is that the search result set contains only one distinct value for the grouping field.

How to eliminate wrong answers

Option B is wrong because Splunk column charts can display multiple columns when the x-axis field has multiple distinct values; the chart type is not inherently limited to one column. Option C is wrong because if the protocol field were not extracted, the chart would show no columns or an error, not a single column with data. Option D is wrong because the time range being too narrow would reduce the number of events but still allow multiple protocol values to appear if they exist in that window; a single column indicates a single distinct value, not insufficient time span.

84
MCQhard

Refer to the exhibit. A Splunk admin created this dashboard XML. When viewing the dashboard, the "Response Time" panel shows no data. What is the most likely cause?

A.The index 'web' does not contain any events.
B.The bar chart cannot display the results.
C.The stats command requires a by clause and host is not a valid field.
D.The 'response_time' field does not exist in the access_combined sourcetype.
AnswerD

Correct. Access_combined sourcetype usually does not include response_time; it might be in other sourcetypes.

Why this answer

The search for response time uses a field 'response_time' which may not exist in the access_combined sourcetype. The access_combined sourcetype typically does not have a response_time field; it might be named differently (e.g., time_taken).

85
Multi-Selectmedium

Which TWO actions are valid for modifying the appearance of a column chart in a dashboard panel? (Choose two.)

Select 2 answers
A.Set the chart to use a radial display to make it a pie chart.
B.Swap the chart type to a horizontal bar chart using the 'Chart' dropdown.
C.Adjust marker size to make bars thicker.
D.Specify a sort order for the x-axis categories.
E.Change the color palette in the 'Colors' section of the formatting options.
AnswersD, E

Sorting the x-axis is possible via 'Sort' option under 'X-Axis'.

Why this answer

Option D is correct because in a column chart, you can specify a sort order for the x-axis categories using the 'Sorting' options in the formatting panel. This allows you to control the sequence of categories displayed, such as sorting by alphabetical order or by a numeric field value. Option E is correct because the 'Colors' section in the formatting options lets you change the color palette for the chart, modifying the appearance of the columns.

Exam trap

The trap here is that candidates often confuse 'modifying appearance' with 'changing chart type' or 'adjusting properties that don't apply to column charts', such as marker size, which is specific to line and scatter plots.

86
MCQmedium

A report is scheduled to run every 5 minutes. After running, it sends an email if the count of errors exceeds 10. Which report action should be configured?

A.Dashboard panel
B.Alert
C.Real-time search
D.Scheduled report with email action and condition
AnswerD

This combines scheduling with conditional email delivery.

Why this answer

Option D is correct because the requirement is for a scheduled report that runs every 5 minutes and conditionally sends an email only when the count of errors exceeds 10. In Splunk, a scheduled report with an email action and a condition allows you to define a search that runs on a schedule, evaluate a numeric condition (e.g., count > 10), and trigger an email only when that condition is met. This is the exact mechanism for conditional email delivery based on report results.

Exam trap

Splunk often tests the distinction between a scheduled report with a condition and an alert, where candidates mistakenly choose 'Alert' because they think any conditional action is an alert, but the question explicitly asks for a 'report action,' which is a feature of scheduled reports, not alerts.

How to eliminate wrong answers

Option A is wrong because a dashboard panel is a visualization element that displays real-time or historical data in a dashboard; it does not have scheduling or conditional email capabilities. Option B is wrong because an Alert is designed for real-time or scheduled monitoring with actions, but it is not a report; the question specifically asks for a 'report action,' and alerts are separate entities that can trigger actions based on search results, not report-specific actions. Option C is wrong because a real-time search continuously streams data without a fixed schedule and cannot be configured to run every 5 minutes or send conditional emails based on a count threshold.

87
MCQmedium

Refer to the exhibit. A user runs this search to get details about a saved search. The results show empty values for the actions types. What is the most likely reason?

A.The rest endpoint does not return actions data.
B.The spath command cannot parse the multivalue actions field correctly without mvexpand.
C.The search title filter is too restrictive.
D.The saved search has no actions configured.
AnswerB

Correct. spath works on single JSON objects; actions is a list, so mvexpand is needed.

Why this answer

The spath command is used incorrectly. The actions field is a multivalue field containing action objects. The spath command expects a single JSON object per event, but actions is a list.

To extract action types, you might need to mvexpand first.

88
MCQmedium

A security team needs to create a report that shows the number of distinct users who triggered a firewall block each day for the past 30 days. Which search and visualization combination should be used?

A.Use `dc(user)` with `chart` and a column chart
B.Use `top user` with `timechart` and a pie chart
C.Use `dc(user)` with `timechart` and a column chart
D.Use `count` with `chart` and a bar chart
AnswerC

Correctly counts distinct users per day over time.

Why this answer

Option C is correct because `dc(user)` calculates the distinct count of users, and `timechart` automatically groups results by time (e.g., per day) over the specified 30-day range. A column chart is the appropriate visualization for displaying discrete daily counts, as it clearly shows trends over time.

Exam trap

The trap here is confusing `dc(user)` with `count` or `top`, and assuming `chart` can replace `timechart` for time-based aggregation, when only `timechart` automatically handles time bucketing and produces a proper time axis for column charts.

How to eliminate wrong answers

Option A is wrong because `chart` without a time-based split does not automatically produce daily buckets; it would require an explicit `by` clause for time, and a column chart is not ideal for time-series data without proper time axis. Option B is wrong because `top user` returns the most frequent users, not a distinct count per day, and `timechart` with a pie chart is invalid since pie charts cannot display time-series data. Option D is wrong because `count` counts all events, not distinct users, and `chart` without a time-based grouping does not produce daily results; a bar chart is also inappropriate for time-series trends.

89
Matchingmedium

Match each Splunk component to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Processes incoming data and stores it in indexes

Handles search requests and distributes to indexers

Sends data to indexers or other forwarders

Manages configuration of forwarders

Manages license usage across the deployment

Why these pairings

These are key components in a Splunk deployment.

90
Multi-Selecteasy

Which TWO of the following are valid methods to convert a saved search into a report in Splunk?

Select 2 answers
A.On the search results page, click the 'Save As' button and select 'Report'.
B.Open the saved search, click 'Edit', then select 'Convert to Dashboard Panel'.
C.Click 'Reports' in the app bar, then 'Create New Report', and select 'From an existing saved search'.
D.From the 'Saved Searches' page, edit the search and choose 'Save As Report' from the Actions menu.
E.From the 'Job Manager', select the job and click 'Convert to Report'.
AnswersC, D

This is another valid method to convert a saved search to a report.

Why this answer

Option C is correct because Splunk provides a dedicated workflow to create a report from an existing saved search via the 'Reports' page. By clicking 'Create New Report' and selecting 'From an existing saved search', you can directly convert the saved search's query and settings into a report object, preserving the search logic and scheduling. This method is explicitly supported in Splunk's UI for report creation.

Exam trap

The trap here is that candidates may confuse the 'Save As' button on the search results page (which works for ad hoc searches) with the dedicated saved-search-to-report conversion path, or mistakenly think the 'Job Manager' or 'Convert to Dashboard Panel' options are valid for creating a report.

91
MCQmedium

A dashboard includes a time range picker. When a user selects 'Last 7 days', one panel does not update its data accordingly. What is the most likely cause?

A.The panel has insufficient permissions to access the data.
B.The panel's search uses a hard-coded time range like earliest=-30d.
C.The dashboard time picker is set to 'All time'.
D.The panel is based on a scheduled report.
AnswerB

Hard-coded time ranges override the dashboard time picker.

Why this answer

When a dashboard has a time range picker, each panel's search must reference the picker's time tokens (e.g., `$time$` or `$earliest$`/`$latest$`) to dynamically inherit the selected range. Option B is correct because a hard-coded time range like `earliest=-30d` overrides the picker, causing the panel to ignore the user's selection of 'Last 7 days' and always show data from the last 30 days.

Exam trap

Splunk often tests the distinction between a dashboard-level time picker setting and a panel-level search override; the trap here is that candidates may think the picker itself is misconfigured (Option C) when the real issue is a hard-coded time range in the panel's search string.

How to eliminate wrong answers

Option A is wrong because insufficient permissions would cause a data access error or blank results, not a failure to update when the time range changes; permissions are unrelated to time token inheritance. Option C is wrong because the dashboard time picker being set to 'All time' would affect all panels uniformly, not cause a single panel to ignore the picker; the issue is panel-level override, not picker-level setting. Option D is wrong because a panel based on a scheduled report can still respect the time picker if its search uses time tokens; the scheduled report itself does not inherently prevent dynamic time updates.

92
Multi-Selecthard

Which TWO options are correct about post-process searches in dashboards?

Select 2 answers
A.They can reduce search load by reusing base search results
B.They support all SPL commands that base searches support
C.They can be used only within the same dashboard
D.They can override the time range of the base search
E.They automatically inherit all fields from the base search
AnswersA, C

Post-process searches operate on the base search results, avoiding redundant data retrieval.

Why this answer

Options A and D are correct. Post-process searches reuse base search results, reducing load, and they can only be used within the same dashboard. Option B is false because not all commands are supported; Option C is false because not all fields are inherited; Option E is false because they cannot override the base search time range.

93
Multi-Selectmedium

Which THREE actions are possible when editing a dashboard in Studio?

Select 3 answers
A.Set a custom time range for the dashboard.
B.Edit the underlying search of a report used in a panel.
C.Add custom CSS to style the dashboard.
D.Convert a static panel to a form input.
E.Export the dashboard as a PDF from the editor.
AnswersA, C, D

Yes, in dashboard properties.

Why this answer

Option A is correct because in Splunk Dashboard Studio, you can set a custom time range for the entire dashboard via the 'Time Range' picker in the editor. This overrides the default time range and applies to all panels that do not have their own explicit time range set, allowing consistent temporal scoping across the dashboard.

Exam trap

Splunk often tests the misconception that you can edit a report's search directly from Dashboard Studio, when in fact reports are separate entities that must be modified independently.

94
MCQhard

A visualization is showing unexpected spikes in a timechart. The data is aggregated by hour, but the spikes align with time zone changes. What is the likely cause?

A.The data contains events with different time zones
B.The timechart uses a gap threshold
C.The search uses _time instead of _indextime
D.The bin span is too small
AnswerA

Mixed time zones cause events to be bucketed into incorrect hours, creating spikes.

Why this answer

The unexpected spikes in the timechart are caused by events being timestamped with different time zones. When Splunk aggregates data by hour using `_time`, it converts all timestamps to the search head's local time zone. Events originally logged in different time zones (e.g., UTC vs.

EST) will be shifted into different hour buckets, creating artificial spikes at the boundaries of time zone changes (e.g., daylight saving time transitions). This is a classic time zone misalignment issue in time-series analysis.

Exam trap

The trap here is that candidates often assume spikes are caused by data volume or indexing delays, rather than recognizing that time zone misalignment in event timestamps can create artificial spikes in timecharts, especially during daylight saving time transitions.

How to eliminate wrong answers

Option B is wrong because a gap threshold controls how Splunk fills missing time buckets (e.g., connecting gaps with null values), not the cause of spikes aligned with time zone changes. Option C is wrong because using `_indextime` (the time the event was indexed) instead of `_time` (the event timestamp) would shift all events to the indexing time, which is typically in UTC and would not produce spikes aligned with time zone changes in the original event timestamps. Option D is wrong because a bin span that is too small would produce more granular data with potential noise, but it would not cause spikes specifically aligned with time zone changes; the spikes would be random or based on event volume, not time zone boundaries.

95
MCQhard

Refer to the exhibit. A user scheduled a report but it never runs. Which of the following is the most likely reason?

A.The report needs to be shared with the scheduler role.
B.The stats command requires a by clause with a time field.
C.The search string is missing the 'timechart' command.
D.The cron schedule is invalid because it lacks the weekday field.
AnswerD

The cron schedule must have five fields; the provided expression only has four, making it invalid.

Why this answer

The cron schedule is invalid because it only has four fields (minute, hour, day of month, month) and is missing the weekday field. Splunk requires five fields for a cron expression. Options A, B, and C are incorrect for the stated reasons.

96
MCQhard

An organization has a large dataset and wants to create a daily report of top 10 error messages. The search takes a long time to run. Which optimization approach reduces run time while maintaining accuracy?

A.Use | rare instead of | top
B.Use | head 10 early in the search
C.Increase the time range
D.Use summary indexing to pre-aggregate
AnswerD

Summary indexing captures aggregated results and speeds up subsequent searches.

Why this answer

Summary indexing pre-aggregates data at search time and stores the results in a summary index. The daily report can then run against this pre-computed summary rather than scanning the entire raw dataset, drastically reducing run time while preserving accuracy because the aggregation is done once.

Exam trap

Splunk often tests the misconception that simply limiting results early (like `| head`) is a valid optimization, but candidates must understand that accuracy requires aggregation before truncation, and that summary indexing is the proper method for pre-computing results without data loss.

How to eliminate wrong answers

Option A is wrong because `| rare` finds the least common values, which is the opposite of the required top 10 error messages and would not reduce search time. Option B is wrong because `| head 10` early in the search truncates the result set before aggregation, which would produce inaccurate results (only the first 10 events, not the top 10 by count). Option C is wrong because increasing the time range expands the data to be scanned, making the search run longer, not shorter.

97
Multi-Selectmedium

Which THREE elements are required to create a dashboard in Splunk Web? (Choose three.)

Select 3 answers
A.A time range picker
B.At least one panel
C.A title for the dashboard
D.Permissions set to viewable by at least one role
E.A scheduled report in at least one panel
AnswersB, C, D

A dashboard without panels is empty and invalid.

Why this answer

Option B is correct because a dashboard in Splunk Web must contain at least one panel to display data. Panels are the fundamental building blocks of a dashboard; without them, there is no content to visualize. A dashboard with zero panels is invalid and cannot be saved or rendered.

Exam trap

The trap here is that candidates often confuse optional features (like a time range picker or scheduled reports) with mandatory elements, leading them to select A or E instead of recognizing that only a panel, a title, and at least one role permission are strictly required.

98
MCQhard

A user wants to create a report that shows the average response time for each web endpoint over the past week. The data has fields: endpoint, response_time. Which search correctly calculates the average?

A.... | stats avg(response_time) by endpoint
B.... | stats mean(response_time) by endpoint
C.... | stats avg(response_time) by _time
D.... | eval avg=sum(response_time)/count | stats values(avg) by endpoint
AnswerA

Correctly calculates average per endpoint.

Why this answer

Option A is correct because the `stats avg(response_time) by endpoint` command calculates the average (mean) of the response_time field for each unique endpoint value. This directly meets the requirement of showing average response time per web endpoint over the past week, assuming the time range is set in the search bar or via an earliest/latest constraint.

Exam trap

Splunk often tests the distinction between `avg()` and `mean()` — `mean()` is not a valid SPL command, but candidates may confuse it with the statistical term or with SQL syntax, leading them to select Option B.

How to eliminate wrong answers

Option B is wrong because `mean()` is not a valid SPL function; the correct function for average is `avg()`. Option C is wrong because `by _time` groups results by the timestamp field, not by endpoint, which would produce average response times per time bucket rather than per endpoint. Option D is wrong because it manually calculates an average using `eval avg=sum(response_time)/count` and then uses `stats values(avg) by endpoint`, which is redundant and incorrect — `values()` returns a multivalue list of all computed averages per endpoint rather than a single aggregated average, and the manual calculation is unnecessary when `avg()` exists.

99
MCQmedium

A team wants to add an interactive time range picker to a dashboard. The dashboard uses a base search with a token for earliest and latest. Which configuration is required?

A.Set the search's earliest and latest to -1h and now
B.Use the built-in time range picker by adding <option> elements
C.Add input type='dropdown' token='time' and use $time$ in the search
D.Add input type='time' token='time_tok' and use $time_tok$ in the search
AnswerD

This correctly creates a time range picker and links it to the search via token.

Why this answer

Option D is correct because the `input type='time'` element is the standard way to add an interactive time range picker in Splunk dashboards. By setting the `token` attribute to `time_tok` and referencing `$time_tok$` in the base search, the dashboard dynamically passes the selected time range to the search, overriding any static earliest/latest values.

Exam trap

Splunk often tests the distinction between `input type='time'` (the correct element for a time range picker) and `input type='dropdown'` (which only provides a static list of options), leading candidates to mistakenly choose a dropdown with a time token.

How to eliminate wrong answers

Option A is wrong because setting the search's earliest and latest to static values like -1h and now would hardcode the time range, preventing the interactive time picker from having any effect. Option B is wrong because the built-in time range picker is not added via `<option>` elements; `<option>` elements are used for dropdown or radio inputs, not for the time input type. Option C is wrong because `input type='dropdown'` creates a simple dropdown menu, not a time range picker; the `$time$` token is not a standard token for time ranges, and the correct input type for time selection is `time`.

100
Multi-Selectmedium

Which TWO statements are true about saved reports in Splunk?

Select 2 answers
A.All saved reports automatically send email alerts.
B.Saved reports are created exclusively from dashboard panels.
C.Saved reports can be used as data sources for dashboard panels.
D.Saved reports can be scheduled to run at specific times.
E.Saved reports cannot be edited after creation.
AnswersC, D

Correct.

Why this answer

Option C is correct because saved reports in Splunk can be used as data sources for dashboard panels. When you create a dashboard panel, you can select a saved report as its data source, which allows the panel to display the report's results. This enables reuse of report logic across multiple dashboards without rewriting the search.

Exam trap

The trap here is that candidates often confuse saved reports with alerts, assuming all saved reports have email actions enabled by default, or they think reports are only for dashboards, when in fact reports are standalone search artifacts that can be scheduled, shared, and used as data sources.

101
MCQmedium

Refer to the exhibit. A Splunk user runs this search against a lookup file containing application error data. The search returns fewer than 10 results. Which is the most likely reason?

A.The inputlookup command only returns the first 10 rows by default.
B.The lookup file contains more than 10 rows.
C.The search filter 'severity="high"' is too restrictive, resulting in fewer than 10 matching rows.
D.The table command limits the number of results.
AnswerC

Correct. The filter limits results, so head returns all matches.

Why this answer

The search filters for severity='high', which may be a small subset. The head command limits to 10, but if fewer than 10 match, that's all that's returned.

102
MCQeasy

A user creates a dashboard with a line chart showing server response times. The chart looks correct in the dashboard editor but when saved and viewed by other users, the chart shows no data. The other users have the same role as the creator. What is the most likely cause?

A.The time range is set to 'Real-time' while the other users access at a different time
B.The other users do not have permission to the index
C.The search includes a field that is only visible to the creator
D.The dashboard is set to private
AnswerA

Real-time search shows data only within a small sliding window; if no events at that moment, chart is empty.

Why this answer

Option A is correct because when a dashboard chart uses a 'Real-time' time range, it continuously updates to show data from the current moment. If the creator views the dashboard at one time, the chart displays data, but when other users access it later, the real-time window has shifted, and if no data exists for that new window, the chart appears empty. This is a common issue with real-time searches in Splunk dashboards, as they do not retain historical data.

Exam trap

Splunk often tests the misconception that permission issues (like index access or field visibility) are the cause, when the real problem is the ephemeral nature of real-time searches in shared dashboards.

How to eliminate wrong answers

Option B is wrong because the other users have the same role as the creator, and the chart works for the creator, so index permissions are not the issue; if they lacked permission, the creator would also see no data or an error. Option C is wrong because fields are not permission-based; if a field is used in the search, it is either available to all users with data access or the search would fail for everyone, not just other users. Option D is wrong because a private dashboard is only visible to the creator, but the question states other users can view the dashboard (they see it, but with no data), so it cannot be set to private.

103
MCQhard

A dashboard has multiple panels that each use the same base search but apply different aggregate functions. To avoid running the base search multiple times, which technique should be used?

A.Use a base search with post-process panels
B.Use | savedsearch to reference the base search
C.Use | multisearch to combine all aggregations
D.Use | map to run the base search for each panel
AnswerA

Post-process panels share the base search results, reducing duplicate searches.

Why this answer

Option A is correct because Splunk's post-process search feature allows a dashboard to define a single base search that runs once, and then multiple panels can apply different aggregate functions (e.g., stats, timechart) on the results without re-executing the base search. This is achieved by using the `base` and `postprocess` attributes in the dashboard XML or Simple XML, which significantly reduces search overhead and improves dashboard performance.

Exam trap

The trap here is that candidates often confuse `| multisearch` or `| map` with sharing results, but Splunk specifically designed post-process searches for this exact use case, and the exam tests the distinction between running a search once versus running it multiple times.

How to eliminate wrong answers

Option B is wrong because `| savedsearch` runs the saved search as a new independent search each time it is invoked, so it does not avoid running the base search multiple times across panels. Option C is wrong because `| multisearch` is used to run multiple subsearches in parallel and combine their results, but it does not allow different panels to apply different aggregate functions on a single shared base result set. Option D is wrong because `| map` runs a search for each input value from a prior search, which would actually multiply the number of base search executions rather than reduce them, and is not designed for sharing a single base result across panels.

104
Drag & Dropmedium

Drag and drop the steps to configure a Splunk alert that sends an email when a specific condition is met into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Alerts are created from a search, with conditions and actions defined in the alert configuration.

105
MCQhard

An IT operations team has a dashboard with multiple panels showing server metrics. Each panel uses a separate search that runs every time the dashboard is loaded, causing slow performance. What is the best practice to improve dashboard load time?

A.Use a base search and post-process searches for dependent panels.
B.Reduce the time range picker to the last 24 hours.
C.Combine all searches into one large search and use eval to separate results.
D.Add more panels to distribute the data load.
AnswerA

This allows sharing search results across panels, reducing overall search execution.

Why this answer

Option A is correct because using a base search with post-process searches allows multiple dashboard panels to share a single, initial data retrieval. Instead of each panel running its own independent search against the index, they all reference the results of the base search, which runs once. This drastically reduces the number of indexer queries and speeds up dashboard load time, especially when panels share a common data source or filtering criteria.

Exam trap

The trap here is that candidates often think reducing the time range or consolidating searches into one large query will improve performance, but they overlook the fundamental Splunk best practice of using base searches to eliminate redundant index access.

How to eliminate wrong answers

Option B is wrong because reducing the time range to the last 24 hours only limits the data volume, but does not address the root cause of multiple independent searches running concurrently; each panel still executes its own search, so performance gains are minimal and may miss needed historical data. Option C is wrong because combining all searches into one large search with eval statements creates a monolithic, complex query that is harder to debug, may exceed search limits, and still forces Splunk to process all data for every panel, often increasing load time rather than reducing it. Option D is wrong because adding more panels would increase the number of independent searches, making performance worse, not better.

106
Multi-Selecteasy

A user wants to save a search as a report that can be used in a dashboard. Which TWO steps are required? (Select two.)

Select 2 answers
A.Schedule the report for email delivery
B.Run the search and click 'Save As' > 'Report'
C.Set a time range in the search
D.Name the report and set permissions
E.Add the report to a dashboard panel
AnswersB, D

This initiates the save process for a report.

Why this answer

Option B is correct because the first required step to save a search as a report is to run the search and then select 'Save As' > 'Report' from the Splunk UI. This action opens the Save As Report dialog, which is the standard method for converting an ad-hoc search into a persistent report object that can be used in dashboards.

Exam trap

The trap here is that candidates often confuse the optional post-save actions (like scheduling or adding to a dashboard) with the mandatory steps required to create the report object itself.

107
MCQmedium

An analyst needs to create a dashboard that displays real-time data (streaming) for operational monitoring. Which panel type supports real-time data?

A.A panel based on a scheduled alert.
B.A panel based on a saved search with a fixed time range.
C.A panel based on a saved report with a scheduled time range.
D.A panel with a search that uses the 'Real-time' time range option.
AnswerD

Real-time time range enables streaming data display.

Why this answer

Option D is correct because the 'Real-time' time range option in Splunk allows a dashboard panel to continuously stream and update data as it is indexed, providing live operational monitoring. This is the only panel type that supports true real-time data, as it sets the search to run continuously with a rolling window (e.g., last 60 seconds) rather than relying on a fixed or scheduled time range.

Exam trap

The trap here is that candidates confuse scheduled searches or alerts with real-time streaming, but Splunk's 'Real-time' time range is the only mechanism that provides continuous, live data updates in a dashboard panel.

How to eliminate wrong answers

Option A is wrong because a scheduled alert runs at defined intervals and generates results only when triggered, not as a continuous real-time stream for dashboard display. Option B is wrong because a saved search with a fixed time range (e.g., last 24 hours) is static and does not update in real time; it reflects historical data at the time of execution. Option C is wrong because a saved report with a scheduled time range runs on a cron schedule (e.g., every hour), producing snapshots of data at those intervals, not a live streaming feed.

108
Multi-Selecthard

A security analyst creates a dashboard with multiple timechart panels. To ensure the dashboard performs well with large datasets, which THREE practices should be followed? (Select three.)

Select 3 answers
A.Use `| eval` to create calculated fields after aggregation
B.Use `eventstats` instead of `stats` when possible
C.Use the `fields` command to remove unnecessary fields early
D.Limit the time range to necessary periods
E.Use report acceleration on the base search
AnswersC, D, E

Removing unnecessary fields early reduces resource usage.

Why this answer

Option C is correct because the `fields` command removes unnecessary fields from events early in the search pipeline, reducing the amount of data that must be processed and stored in memory. This is especially important in dashboard timechart panels where large datasets can cause slow rendering and timeout issues.

Exam trap

Splunk often tests the misconception that `eventstats` is always better than `stats` for performance, but in dashboard contexts where you only need aggregated results, `stats` is more efficient because it does not attach the aggregation back to every raw event.

109
Drag & Dropmedium

Drag and drop the steps to troubleshoot a Splunk search that returns no results into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting no results involves checking time range, syntax, data existence, and logs.

110
MCQhard

A company has a dashboard that uses a base search and four post-process searches to display metrics. The dashboard loads slowly. The base search returns 10,000 results and each post-process search further filters. The infrastructure team suggests using tstats to improve performance. Which approach is best?

A.Use the tstats command in each post-process search without changing the base search
B.Replace all searches with a single tstats search and use eval in the dashboard
C.Use tstats only in the base search and keep the post-process searches as they are
D.Accelerate the data model used by the base search and use tstats in the post-process searches
AnswerD

Acceleration and tstats optimize both base and post-process searches, improving performance.

Why this answer

Option D is correct because tstats is optimized to run against accelerated data models, which pre-aggregate statistics and dramatically reduce the time needed to compute metrics. By accelerating the data model used by the base search, the base search itself becomes faster, and using tstats in the post-process searches leverages that acceleration to filter and aggregate results without scanning raw events. This combination addresses the root cause of slow performance—scanning 10,000 raw results in post-process searches—by moving computation to the indexed, pre-summarized data.

Exam trap

Splunk often tests the misconception that tstats can be used as a drop-in replacement for any search without considering the prerequisite of an accelerated data model or summary index, leading candidates to pick options that misuse tstats in post-process searches without addressing the base search's performance bottleneck.

How to eliminate wrong answers

Option A is wrong because using tstats in each post-process search without changing the base search still requires the base search to return 10,000 raw results, and tstats in post-process searches cannot bypass the base search's raw event retrieval, so the overall performance gain is minimal. Option B is wrong because replacing all searches with a single tstats search and using eval in the dashboard eliminates the ability to have separate, independent post-process searches that filter different metrics, and eval cannot replicate the filtering logic of post-process searches without significant complexity and performance loss. Option C is wrong because using tstats only in the base search while keeping post-process searches as they are does not accelerate the post-process searches themselves, which still filter the 10,000 raw results using slow, non-accelerated commands.

111
MCQhard

Refer to the exhibit. A user runs this search from a dashboard panel. The panel shows no results, but the lookup file exists and has data. What is the most likely reason?

A.The time range is set to a period with no data
B.The lookup file is not defined as a lookup table in Splunk
C.The sort command requires a field name
D.The where clause is incorrectly formatted
AnswerB

Inputlookup requires a lookup definition.

Why this answer

The search references a lookup file by name, but Splunk requires that lookup files be explicitly defined as lookup tables via Settings > Lookups > Lookup table definitions before they can be used in search commands like `lookup`, `inputlookup`, or `outputlookup`. Without this definition, Splunk cannot resolve the file name to a valid lookup table, causing the search to return no results even though the file exists on disk.

Exam trap

Splunk often tests the distinction between uploading a lookup file and defining it as a lookup table, tricking candidates into thinking the file's mere existence on the filesystem is sufficient for it to be used in searches.

How to eliminate wrong answers

Option A is wrong because if the time range had no data, the search would still attempt to use the lookup file and might return results from the lookup itself, but the panel shows no results at all, indicating the lookup is not being resolved. Option C is wrong because the `sort` command does not require a field name; it can sort by the default field `_raw` or by the entire event, and a missing field name would cause a syntax error, not a silent failure with no results. Option D is wrong because the `where` clause is correctly formatted in the exhibit (e.g., `where status=200`), and an incorrectly formatted `where` clause would produce a search syntax error, not a panel with no results.

112
MCQmedium

A security analyst wants to create a report showing the number of failed login attempts by user over the past 24 hours, updated automatically every hour. Which approach is most efficient?

A.Create a real-time search in a dashboard
B.Create a report with a scheduled search that runs every hour and saves to a CSV file
C.Create a dashboard panel with a fast search
D.Use the tstats command in a dashboard
AnswerB

Scheduled reports run at specified intervals and can save results, making them efficient for periodic updates.

Why this answer

Option B is correct because scheduled reports with a time range run periodically and save results, reducing resource usage. Option A is wrong because dashboard panels run every time the dashboard loads, not scheduled. Option C is wrong because real-time searches are continuous and resource-intensive.

Option D is wrong because tstats is used for accelerated data models, not for ad-hoc reporting.

113
MCQeasy

A user wants to create a pie chart showing the distribution of error types from web server logs. Which Splunk command should be used to group the errors before visualization?

A.table
B.eval
C.top
D.stats count by error_type
AnswerD

This returns the count per error type, which can be visualized as a pie chart.

Why this answer

Option D is correct because the `stats count by error_type` command groups the raw events by the `error_type` field and computes the count for each group, producing the structured data needed for a pie chart. A pie chart requires aggregated numerical values per category, and `stats count by` is the standard Splunk approach to create this summary from log events.

Exam trap

The trap here is that candidates often confuse `top` with `stats count by` because both can show counts, but `top` is optimized for ranking and may truncate results, whereas `stats count by` provides a complete, unranked aggregation suitable for full-distribution visualizations like pie charts.

How to eliminate wrong answers

Option A is wrong because `table` simply displays selected fields in a tabular format without performing any aggregation, so it cannot group error types or compute counts for a pie chart. Option B is wrong because `eval` is used to create or modify fields using expressions, not to group or count events; it does not produce the aggregated dataset required for a pie chart. Option C is wrong because `top` displays the most common values of a field along with their counts and percentages, but it is designed for ranking and includes a limit (default 10), which may omit less frequent error types and is not the general-purpose grouping command for all error categories in a pie chart.

114
MCQeasy

Refer to the exhibit. Which visualization is most appropriate for this data?

A.Single value
B.Scatter chart
C.Pie chart
D.Line chart
AnswerC

Pie charts effectively display the relative proportions of categories.

Why this answer

A pie chart is the most appropriate visualization for this data because it shows a breakdown of a whole into its constituent parts, specifically the percentage of total events by source type. Pie charts are ideal for displaying proportional or categorical data where the sum of all slices equals 100%, making it easy to compare the relative size of each category at a glance.

Exam trap

Splunk often tests the candidate's ability to distinguish between visualizations for categorical vs. time-series data, and the trap here is that candidates might choose a line chart because they see a time field in the data, even though the question's exhibit shows aggregated counts by source type, not a trend over time.

How to eliminate wrong answers

Option A is wrong because a single value visualization is used to display a single metric or aggregate (e.g., total count, average latency), not a distribution of multiple categories. Option B is wrong because a scatter chart is designed to plot two continuous variables to identify correlations or clusters, not to show parts of a whole. Option D is wrong because a line chart is best for showing trends over time or continuous data, not categorical proportions.

115
Multi-Selecthard

Which TWO of the following are valid ways to add a visualization to a dashboard in Splunk?

Select 2 answers
A.Use the 'Edit' button on an existing panel to change it to a new visualization.
B.Create a new panel in the dashboard editor and select a visualization type.
C.Export a report as a PDF and upload it as an image panel.
D.Convert a saved report to a dashboard panel using the 'Save As Dashboard Panel' option.
E.Set up an alert and configure it to add a panel to the dashboard.
AnswersB, D

Direct method via dashboard editor.

Why this answer

Option B is correct because the dashboard editor in Splunk provides a dedicated workflow to add a new panel and then select a visualization type (e.g., chart, table, map) from the 'Visualization' tab. This is the standard method for building a panel from scratch within a dashboard, allowing you to define the search and choose the appropriate visualization for your data.

Exam trap

The trap here is that candidates often confuse modifying an existing panel's visualization (Option A) with adding a new visualization to the dashboard, or they mistakenly believe that alerts can dynamically create dashboard panels (Option E), when in reality alerts only trigger actions and cannot modify dashboard structure.

116
MCQhard

A dashboard includes a table panel that shows recent errors. The analyst wants users to click on an error message and be taken to a search showing all events containing that error message within the same time range. Which configuration should be applied to the table panel?

A.Set 'Drilldown' to 'Link to search' and configure the target search with a token for the error message.
B.Add a token on the table panel and set the drilldown to 'Token' with value '$row.error_message$'.
C.Set 'Drilldown' to 'Custom' and use JavaScript to open a new window.
D.Set 'Drilldown' to 'Search', and in the search string include 'error_message="$click.value$"'
AnswerA

Link to search with tokens maintains the time range and passes clicked value.

Why this answer

Option B is correct because 'Drilldown' with 'Link to search' allows passing the clicked field value as a token to a new search. Option A is wrong because 'Drilldown' to 'Search' with the field value creates a static search. Option C is wrong because 'Token' alone does not define a drilldown action.

Option D is wrong because 'Drilldown' to 'Custom' requires JavaScript.

117
MCQeasy

A user wants to create a dashboard panel that shows the top 5 most visited web pages. Which report type should be used as the underlying search?

A.stats count by page
B.top 5 page
C.rare 5 page
D.chart count by page
AnswerB

The top command directly returns the most common values.

Why this answer

The 'top' command in Splunk automatically returns the most common values of a field, and the syntax 'top 5 page' directly limits the result to the top 5 pages by count. This is the most straightforward and efficient way to generate a dashboard panel showing the top 5 most visited web pages, as it combines counting and sorting into a single command.

Exam trap

Splunk often tests the distinction between commands that only aggregate ('stats count') versus those that aggregate and limit ('top'), leading candidates to choose 'stats count by page' because they forget that it does not automatically restrict the output to the top N values.

How to eliminate wrong answers

Option A is wrong because 'stats count by page' returns a count for every page but does not sort or limit the results to the top 5, requiring additional piping (e.g., '| sort -count | head 5') to achieve the desired output. Option C is wrong because 'rare 5 page' returns the least common (rarest) pages, which is the opposite of what the user wants (most visited). Option D is wrong because 'chart count by page' produces a tabular or chart-ready output but, like 'stats count by page', does not automatically limit to the top 5 and requires extra steps to sort and truncate.

118
Multi-Selecthard

Which THREE of the following are valid ways to add a visualization to a dashboard?

Select 3 answers
A.Paste a search query in the dashboard editor.
B.Create a report and then drag it onto the dashboard.
C.Click 'Add Panel' and choose 'New from Search'.
D.Clone an existing panel and edit its search.
E.Upload a CSV file and select visualization type.
AnswersA, C, D

Yes, it creates a new panel.

Why this answer

Option A is correct because pasting a search query directly into the dashboard editor is a standard method for creating a new panel. When you paste a search in the editor, Splunk automatically generates a visualization based on the search results, allowing you to configure the chart type and formatting within the dashboard context.

Exam trap

Splunk often tests the distinction between 'New from Search' (inline search) and 'New from Report' (saved report), and candidates mistakenly think dragging a report onto a dashboard is valid, when in fact you must use the 'Add Panel' workflow.

119
MCQmedium

Refer to the exhibit. The chart shows five series. What is the effect of the useother=f argument?

A.It groups status codes beyond the top 5 into 'Other'
B.It includes all status codes as separate series
C.It sets the timechart to use default colors
D.It limits the chart to exactly 5 series without an 'Other' category
AnswerD

Correct: useother=f ensures no 'Other' group, so only the top 5 are shown.

Why this answer

The `useother=f` argument in a timechart command explicitly disables the automatic grouping of the least significant series into an 'Other' category. By default, timechart limits the number of distinct series displayed (often to 10) and aggregates the rest as 'Other'; setting `useother=f` forces the chart to show exactly the top 5 series as separate lines, with no aggregation. This matches option D, which states the chart is limited to exactly 5 series without an 'Other' category.

Exam trap

The trap here is that candidates often confuse `useother=f` with the default behavior of grouping into 'Other', leading them to select option A, when in fact `useother=f` removes the 'Other' category entirely.

How to eliminate wrong answers

Option A is wrong because `useother=f` disables the 'Other' grouping, not enables it; the default behavior already groups status codes beyond the top 5 into 'Other'. Option B is wrong because `useother=f` does not include all status codes as separate series — it still limits the series count (e.g., to 5) and simply omits the 'Other' bucket, so any series beyond the limit are dropped entirely. Option C is wrong because `useother=f` has no effect on color assignment; color defaults are controlled by the visualization settings or the `use_colors` argument, not by `useother`.

120
MCQmedium

A dashboard includes a form input that allows users to select a user. After selecting a user, a panel should show that user's activity. Which dashboard feature is required?

A.Post-process searches
B.Tokens
C.Drilldown
D.Link to report
AnswerB

Tokens capture and propagate user input to panel searches.

Why this answer

Tokens store the selected value and pass it to search queries, enabling dynamic panel updates.

121
Multi-Selectmedium

Which three options correctly describe characteristics or behaviors of Splunk reports and visualizations? (Choose three.)

Select 3 answers
.A report can be scheduled to run at a specific time and send results via email.
.The trellis layout in a chart divides data into multiple smaller charts based on a field.
.A single report can be used as a data source for multiple dashboard panels.
.The Single Value visualization can display trend indicators and sparklines.
.Radial gauges are the default visualization type for all statistical reports.
.Time series charts cannot be used with the 'stacked' mode option.

Why this answer

Option 1 is correct because Splunk reports can be scheduled to run at specific times using the 'Schedule Report' feature, and they can be configured to send results via email, PDF, or other delivery methods. Option 2 is correct because the trellis layout (also known as small multiples) splits a chart into multiple smaller charts based on the values of a specified field, allowing for comparison across categories. Option 3 is correct because a single report can be used as a data source for multiple dashboard panels by referencing the report's SID (Search ID) in each panel, ensuring consistent data across the dashboard.

Exam trap

Splunk often tests the misconception that all statistical reports default to radial gauges, but in Splunk, the default visualization is context-dependent and typically a table or column chart, not a radial gauge.

122
MCQhard

A Splunk admin notices that a dashboard panel using `timechart` is showing gaps (null values) for some time periods where no events exist. The admin wants to display a zero instead of null to make the chart continuous. Which command should be added before `timechart`?

A.`timechart useother=t`
B.`eventstats`
C.`makecontinuous`
D.`fillnull`
AnswerD

`fillnull` replaces null values with a specified value, typically used after aggregation like `timechart`.

Why this answer

Option D, `fillnull`, is correct because it explicitly replaces null values in the results of a transforming search (like `timechart`) with zeros. When `timechart` produces gaps for time buckets with no events, `fillnull` fills those null fields with a specified value (default 0), making the chart continuous. This command must be placed after the transforming command, not before it, but the question asks which command should be added before `timechart`—in practice, `fillnull` is used in a subsearch or after `timechart`; however, the intended correct answer is `fillnull` as the command that achieves the desired result.

Exam trap

The trap here is that candidates often confuse `makecontinuous` (which fills missing time buckets with null events) with `fillnull` (which replaces null values with zeros), and may incorrectly think `makecontinuous` alone solves the problem, but it only creates the buckets—not the zero values.

How to eliminate wrong answers

Option A is wrong because `timechart useother=t` groups rare values into an 'Other' category, but does not fill null values or address gaps in time series. Option B is wrong because `eventstats` computes statistics over all events without splitting by time, and cannot fill null values in a timechart output. Option C is wrong because `makecontinuous` fills gaps in a time series by generating events for missing time buckets, but it does not replace null values with zeros—it creates null events that still require `fillnull` to convert to zero.

123
MCQhard

A newly created dashboard panel is not displaying data, showing only 'No results found'. The search query works correctly in the Search app. What is the most likely cause?

A.The dashboard has not been shared with the user's role.
B.The search contains a syntax error that is not caught by the dashboard editor.
C.The dashboard's time range picker is set to a different range than the search was tested with.
D.The panel is not based on a saved report.
AnswerC

Time range mismatch is a common cause of 'No results' in dashboard panels.

Why this answer

Option A is correct because dashboards often inherit time range from the dashboard time picker, which may be set to a different time than the search tested. Option B is wrong because permissions affect who sees the dashboard, not whether data appears. Option C is wrong because a dashboard panel doesn't need a saved search.

Option D is wrong because the search works in Search app, so syntax is fine.

← PreviousPage 2 of 2 · 123 questions total

Ready to test yourself?

Try a timed practice session using only Creating Reports, Dashboards and Visualizations questions.