Back to Splunk Core Certified User SPLK-1002 questions

Scenario-based practice

Hard Difficulty Questions

Practise Splunk Core Certified User SPLK-1002 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

20
scenario questions
SPLK-1002
exam code
Splunk
vendor

Scenario guide

How to approach hard difficulty questions

These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.

Quick answer

Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SPLK-1002 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1hardmultiple choice
Full question →

During a data model acceleration build, the following error appears in splunkd.log: 'Data model acceleration: not enough memory to complete summary build.' Which best practice should the administrator implement to prevent this error?

Question 2hardmultiple choice
Full question →

A search includes the command '| stats dc(user) by host'. What does this command return?

Question 3hardmultiple choice
Read the full NAT/PAT explanation →

A large e-commerce company uses Splunk to monitor their web application. The operations team has noticed that the search for tracking user sessions is taking too long and consuming excessive resources. The current search is:

index=web sourcetype=access_combined | stats count by clientip, sessionid, productid | sort - count

The index contains over 10 billion events per day. The team wants to reduce the search time while still being able to identify the top 10 most active sessions (combinations of clientip and sessionid) that involve more than 5 product views. They also need to exclude any sessions that originated from internal IPs (10.0.0.0/8). Which approach would achieve this most efficiently?

Question 4hardmultiple choice
Full question →

You are a Splunk admin for a large enterprise with multiple distributed Splunk components. The security team frequently runs searches that use a large CSV lookup file (500MB) containing threat intelligence indicators. They report that searches are slow and sometimes time out. The lookup file is updated hourly via an automated script. The team currently uses the 'lookup' command in every search. You need to improve performance without sacrificing data freshness. Your environment has a search head cluster and indexer cluster. The lookup file is stored on a shared filesystem accessible to all search heads. Which single approach will best improve search performance while maintaining hourly updates?

Question 5hardmultiple choice
Full question →

What is the purpose of this search?

Exhibit

Refer to the exhibit.

index=web sourcetype=access_combined
| stats count by status
| sort - count
| head 5
Question 6hardmulti select
Full question →

Which TWO statements about designing Splunk data models are correct? (Choose two.)

Question 7hardmulti select
Full question →

Which TWO of the following are valid ways to add a visualization to a dashboard in Splunk?

Question 8hardmultiple choice
Full question →

An IT operations team has a dashboard with multiple panels showing server metrics. Each panel uses a separate search that runs every time the dashboard is loaded, causing slow performance. What is the best practice to improve dashboard load time?

Question 9hardmulti select
Full question →

A Splunk administrator is configuring a lookup to enrich firewall logs with a static CSV file containing allowed IP ranges. Which TWO statements about lookup configuration are correct?

Question 10hardmultiple choice
Full question →

During onboarding, a new user can't find any data in Splunk. They see 'No results found' for all searches. The data is being forwarded from a universal forwarder. What should they check first?

Question 11hardmultiple choice
Full question →

Refer to the exhibit. What can be determined about the license usage?

Exhibit

Refer to the exhibit.

```
> splunk show licenser-pool -name auto_generated_pool_enterprise
Pool: auto_generated_pool_enterprise
    Description: Automatically created pool.
    Max Size: 500 MB
    Used Size: 320 MB
    Allowed Slaves: *
    Stack ID: enterprise
```
Question 12hardmultiple choice
Full question →

A search returns events with a field 'duration' in milliseconds. The analyst wants to create a new field 'duration_sec' that divides duration by 1000. Which command accomplishes this?

Question 13hardmultiple choice
Full question →

An organization is ingesting web proxy logs and wants to enrich them with a lookup table that maps internal IP addresses to employee names. The lookup table is updated weekly. Which configuration ensures the lookup is automatically applied to all searches without manual intervention, while also minimizing performance impact?

Question 14hardmultiple choice
Full question →

A search returns many events but the 'status' field is missing from some events. The admin wants to set a default value of 'unknown' when the field is absent. Which command should be used?

Question 15hardmultiple choice
Full question →

A search includes a lookup that returns multiple values per event. The admin wants to see each matched value as a separate event. Which command should be used after the lookup?

Question 16hardmultiple choice
Full question →

A dashboard includes a table showing server errors. The team wants to click a row and drill down to a detailed view of that server's events in a new search. Which configuration is required?

Question 17hardmulti select
Full question →

Which TWO are valid methods to share a dashboard with other users without granting them edit permissions?

Question 18hardmultiple choice
Full question →

A large enterprise has multiple Splunk indexers and is using data model acceleration to speed up dashboards. The dashboards are slow despite acceleration being enabled. The data model has many root events and child datasets. Which best practice should the administrator consider to improve performance?

Question 19hardmultiple choice
Full question →

A Splunk administrator notices that a data model acceleration summary is consuming excessive disk space on the indexers. The data model is used for a dashboard that refreshes every 30 minutes. What is the best course of action to reduce disk usage while maintaining dashboard performance?

Question 20hardmultiple choice
Full question →

Refer to the exhibit. A Splunk admin created this dashboard XML. When viewing the dashboard, the "Response Time" panel shows no data. What is the most likely cause?

Exhibit

dashboard.xml:
<dashboard>
  <label>Web Performance</label>
  <row>
    <panel>
      <title>Error Rate</title>
      <chart>
        <search>index=web sourcetype=access_combined status>=400 | timechart count by status</search>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
    <panel>
      <title>Response Time</title>
      <chart>
        <search>index=web sourcetype=access_combined | stats avg(response_time) by host</search>
        <option name="charting.chart">bar</option>
      </chart>
    </panel>
  </row>
</dashboard>

These SPLK-1002 practice questions are part of Courseiva's free Splunk certification practice question bank. Courseiva provides original exam-style SPLK-1002 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.