Practise Splunk Core Certified User SPLK-1002 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.
These are the questions most candidates get wrong. They require connecting multiple concepts, reading tricky output, or knowing edge-case behaviour that isn't on most study cards. Practising them trains you to operate under uncertainty — a necessary skill on the real exam.
Quick answer
Hard Difficulty Questions questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Related practice questions
Related SPLK-1002 topic practice pages
Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.
During a data model acceleration build, the following error appears in splunkd.log: 'Data model acceleration: not enough memory to complete summary build.' Which best practice should the administrator implement to prevent this error?
A
Remove unnecessary fields from the data model to reduce complexity.
Why wrong: Removing fields may help but memory error is about process allocation, not field count.
B
Increase the memory allocation for the data model acceleration process.
The error indicates insufficient memory; increasing allocation resolves it.
C
Reduce the summary range to less than 7 days.
Why wrong: Reducing range may reduce memory needs but is not a direct fix for memory allocation.
D
Use tstats instead of data model acceleration for queries.
Why wrong: tstats relies on acceleration; it does not address the build memory error.
A large e-commerce company uses Splunk to monitor their web application. The operations team has noticed that the search for tracking user sessions is taking too long and consuming excessive resources. The current search is:
The index contains over 10 billion events per day. The team wants to reduce the search time while still being able to identify the top 10 most active sessions (combinations of clientip and sessionid) that involve more than 5 product views. They also need to exclude any sessions that originated from internal IPs (10.0.0.0/8). Which approach would achieve this most efficiently?
A
Use 'eventstats count by clientip, sessionid' and then filter where count > 5, then sort and head.
Why wrong: eventstats does not reduce events, still processes all.
B
Use the 'transaction' command to group events by clientip and sessionid, then filter by duration.
Why wrong: Transaction is more resource-intensive than stats.
C
Add a 'where' command after stats to filter out internal IPs and use 'head 10' at the end.
Why wrong: Internal IPs are not filtered early, still processes all data.
D
Add 'clientip!=10.0.0.0/8' in the base search, then use 'stats count by clientip, sessionid', then 'where count>5', then 'sort - count | head 10'.
Filters early, uses efficient stats, then filters and sorts on reduced data.
You are a Splunk admin for a large enterprise with multiple distributed Splunk components. The security team frequently runs searches that use a large CSV lookup file (500MB) containing threat intelligence indicators. They report that searches are slow and sometimes time out. The lookup file is updated hourly via an automated script. The team currently uses the 'lookup' command in every search. You need to improve performance without sacrificing data freshness. Your environment has a search head cluster and indexer cluster. The lookup file is stored on a shared filesystem accessible to all search heads. Which single approach will best improve search performance while maintaining hourly updates?
A
Configure the lookup as a time-based lookup with a filter condition to only apply to events with matching IP fields, and use automatic lookup to avoid manual command.
Time-based lookups and filtering reduce the number of events processed, improving speed.
B
Increase the search concurrency limit on the search head to allow more parallel lookups.
Why wrong: Concurrency helps with multiple searches, not single search performance.
C
Convert the CSV to a KV Store collection and use the 'lookup' command with the KV Store lookup.
Why wrong: KV Store may not be faster for large static datasets and adds complexity.
D
Move the CSV file to each indexer and use index-time field lookup.
Why wrong: Index-time lookups are deprecated and not recommended; search-time is standard.
An IT operations team has a dashboard with multiple panels showing server metrics. Each panel uses a separate search that runs every time the dashboard is loaded, causing slow performance. What is the best practice to improve dashboard load time?
A
Use a base search and post-process searches for dependent panels.
This allows sharing search results across panels, reducing overall search execution.
B
Reduce the time range picker to the last 24 hours.
Why wrong: This may omit necessary data and doesn't address search redundancy.
C
Combine all searches into one large search and use eval to separate results.
Why wrong: Complex evals can be inefficient and hard to maintain; post-process is recommended.
D
Add more panels to distribute the data load.
Why wrong: More panels mean more searches, worsening performance.
A Splunk administrator is configuring a lookup to enrich firewall logs with a static CSV file containing allowed IP ranges. Which TWO statements about lookup configuration are correct?
A
A KV Store lookup is required for static tables.
Why wrong: KV Store is for dynamic collections, not static files.
B
The lookup definition must include the fields to match on from the event data.
Matching fields are required to relate the lookup table to events.
C
The CSV file can be uploaded through the Lookups menu in Settings.
Static CSV files can be uploaded via the Lookups menu.
D
The lookup is defined in macros.conf.
Why wrong: Lookup definitions are in transforms.conf.
E
The CSV file must be placed in an absolute path on the search head.
Why wrong: Splunk uses relative paths within the app directory.
During onboarding, a new user can't find any data in Splunk. They see 'No results found' for all searches. The data is being forwarded from a universal forwarder. What should they check first?
A
Check if the user has admin role
Why wrong: Permissions are important but not first step.
B
Check if the forwarder is configured to send to the correct indexer
Common misconfiguration.
C
Check if the firewall is blocking ports
Why wrong: Network issues would cause no indexing.
D
Check if the search is using the correct time range
Refer to the exhibit. What can be determined about the license usage?
Exhibit
Refer to the exhibit.
```
> splunk show licenser-pool -name auto_generated_pool_enterprise
Pool: auto_generated_pool_enterprise
Description: Automatically created pool.
Max Size: 500 MB
Used Size: 320 MB
Allowed Slaves: *
Stack ID: enterprise
```
A
320 MB of license is used for search
Why wrong: Used size includes all indexing, not just search.
A search returns events with a field 'duration' in milliseconds. The analyst wants to create a new field 'duration_sec' that divides duration by 1000. Which command accomplishes this?
A
| rename duration as duration_sec
Why wrong: Does not perform division.
B
| convert duration_sec = duration/1000
Why wrong: convert does not support arithmetic.
C
| eval duration_sec = duration / 1000
eval creates new field with arithmetic.
D
| fields duration_sec = duration/1000
Why wrong: fields command does not support expressions.
An organization is ingesting web proxy logs and wants to enrich them with a lookup table that maps internal IP addresses to employee names. The lookup table is updated weekly. Which configuration ensures the lookup is automatically applied to all searches without manual intervention, while also minimizing performance impact?
A
Create a macro that includes the 'lookup' command and share it with users.
Why wrong: Users must still use the macro; not fully automatic.
B
Upload the lookup file each week and manually run a search to add the field.
Why wrong: Manual process, not automatic or scalable.
C
Use the 'lookup' command in every search to fetch the employee name.
Why wrong: Requires manual addition to each search, not automatic.
D
Configure an automatic lookup in props.conf and transforms.conf.
Automatic lookups are applied at search time to all matching events without manual effort.
A search returns many events but the 'status' field is missing from some events. The admin wants to set a default value of 'unknown' when the field is absent. Which command should be used?
A
eval status=coalesce(status, "unknown")
Why wrong: coalesce only replaces if status is null in that event, but fillnull is more appropriate for missing field.
B
default status=unknown
Why wrong: There is no default command in Splunk.
C
fillnull value=unknown status
fillnull sets null fields to a specified value.
D
replace status with "unknown"
Why wrong: replace is for substituting values, not null handling.
A search includes a lookup that returns multiple values per event. The admin wants to see each matched value as a separate event. Which command should be used after the lookup?
A
mvexpand
mvexpand creates separate events for each multivalue entry.
B
untable
Why wrong: untable is for unpivoting data.
C
stats
Why wrong: stats aggregates, not expands.
D
makemv
Why wrong: makemv converts a single value into multivalue, not expand.
A dashboard includes a table showing server errors. The team wants to click a row and drill down to a detailed view of that server's events in a new search. Which configuration is required?
A
Enable row expansion in the table options
Why wrong: Row expansion shows details inline, not a new search.
B
Add a link to the search in the table using 'Link to external resource'
Why wrong: External resource is for URLs, not a new Splunk search.
C
Set the drilldown action to 'Search' in the table's edit panel
Configures drilldown to run a new search.
D
Use the `drilldown` search command in the underlying search
Why wrong: Drilldown is a UI feature, not a search command.
A large enterprise has multiple Splunk indexers and is using data model acceleration to speed up dashboards. The dashboards are slow despite acceleration being enabled. The data model has many root events and child datasets. Which best practice should the administrator consider to improve performance?
A
Use tstats commands on the data model without acceleration.
Why wrong: tstats requires acceleration to be effective; without it, performance is poor.
B
Reduce the number of root events in the data model.
Fewer root events simplify the acceleration summary, improving build and search performance.
C
Replicate the data model on each indexer to distribute load.
Why wrong: Replication duplicates effort and is not a standard best practice for acceleration.
D
Increase the summary range to cover more data.
Why wrong: A larger summary range increases build time and may not improve query speed.
A Splunk administrator notices that a data model acceleration summary is consuming excessive disk space on the indexers. The data model is used for a dashboard that refreshes every 30 minutes. What is the best course of action to reduce disk usage while maintaining dashboard performance?
A
Disable data model acceleration and rely on raw data searches.
Why wrong: Disabling acceleration would degrade dashboard performance.
B
Decrease the acceleration time range in the data model definition.
Reducing the acceleration time range reduces the amount of stored summary data, saving disk space.
C
Decrease the backfill time for the data model.
Why wrong: Backfill time controls how far back to initially populate summaries, not ongoing storage.
D
Increase the acceleration time range to speed up summary generation.
Why wrong: Increasing time range would store more summaries, increasing disk usage.
Refer to the exhibit. A Splunk admin created this dashboard XML. When viewing the dashboard, the "Response Time" panel shows no data. What is the most likely cause?
These SPLK-1002 practice questions are part of Courseiva's free Splunk certification practice question bank. Courseiva provides original exam-style SPLK-1002 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.