Back to Splunk Core Certified User SPLK-1002 questions

Scenario-based practice

Refer to the Exhibit Practice Questions

Practise Splunk Core Certified User SPLK-1002 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

15
scenario questions
SPLK-1002
exam code
Splunk
vendor

Scenario guide

How to approach refer to the exhibit practice questions

Practise exhibit-style questions that ask you to read a topology, table, command output or diagram before choosing the best answer.

Quick answer

Exhibit-style questions test whether you can read a topology, command output, diagram or table before choosing the best answer.

How to extract the relevant detail from an exhibit.

How topology, command output or routing information affects the answer.

How to avoid answering from memory before reading the evidence.

How to map the exhibit back to the exam objective.

Related practice questions

Related SPLK-1002 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1easymultiple choice
Full question →

Refer to the exhibit. A Splunk user is building a data model for Apache error logs. The configuration above extracts an error_type field. However, when previewing data in the data model, the error_type field is not available. What is the most likely cause?

Exhibit

Refer to the exhibit.

# props.conf
[apache_error]
TRANSFORMS-set = set_error_type

# transforms.conf
[set_error_type]
REGEX = \[(error|warn|info)\]
FORMAT = error_type::$1
DEST_KEY = _meta
Question 2hardmultiple choice
Full question →

Refer to the exhibit. What can be determined about the license usage?

Exhibit

Refer to the exhibit.

```
> splunk show licenser-pool -name auto_generated_pool_enterprise
Pool: auto_generated_pool_enterprise
    Description: Automatically created pool.
    Max Size: 500 MB
    Used Size: 320 MB
    Allowed Slaves: *
    Stack ID: enterprise
```
Question 3easymultiple choice
Full question →

Refer to the exhibit. What will this search return?

Exhibit

Refer to the exhibit.

index=web sourcetype=access_combined | top 5 uri
Question 4mediummultiple choice
Full question →

Refer to the exhibit. This search produces a table with hosts as rows and status codes as columns. The user wants to visualize this as a stacked column chart showing the distribution of status codes per host. Which chart type should be selected?

Exhibit

index=web sourcetype=access_combined | chart count over host by status
Question 5mediummultiple choice
Full question →

Refer to the exhibit. The search returns only events where src_zone is 'external'. What is the problem?

Exhibit

index=network sourcetype=cisco:asa
 | eval src_zone=case(src_ip="10.0.0.0/8","internal", 1=1,"external")
 | search src_zone=internal
 | stats count by src_zone
Question 6hardmultiple choice
Full question →

Refer to the exhibit. A Splunk admin created this dashboard XML. When viewing the dashboard, the "Response Time" panel shows no data. What is the most likely cause?

Exhibit

dashboard.xml:
<dashboard>
  <label>Web Performance</label>
  <row>
    <panel>
      <title>Error Rate</title>
      <chart>
        <search>index=web sourcetype=access_combined status>=400 | timechart count by status</search>
        <option name="charting.chart">column</option>
      </chart>
    </panel>
    <panel>
      <title>Response Time</title>
      <chart>
        <search>index=web sourcetype=access_combined | stats avg(response_time) by host</search>
        <option name="charting.chart">bar</option>
      </chart>
    </panel>
  </row>
</dashboard>
Question 7mediummultiple choice
Full question →

Refer to the exhibit. A security analyst runs this search and gets two rows: threat_level 'high' and 'low'. However, many events have threat_score between 60 and 90 that are not captured. How should the search be modified to include a 'medium' category?

Exhibit

index=network sourcetype=firewall
| eval threat_level = if(threat_score > 90, "high", "low")
| stats count by threat_level
Question 8mediummultiple choice
Full question →

Refer to the exhibit. A data model named 'Web' is built on sourcetype 'web_access'. A user reports that the timestamp field is not being extracted correctly in the data model. What is the most likely issue?

Exhibit

props.conf:
[web_access]
DATETIME_CONFIG = /etc/datetime.xml
MAX_TIMESTAMP_LOOKAHEAD = 20
TIME_PREFIX = ^
TIME_FORMAT = %d/%b/%Y:%H:%M:%S
Question 9mediummultiple choice
Full question →

Refer to the exhibit. An admin is trying to accelerate this data model, but receives an error: 'Data model 'Authentication' has no constraints.' What is the most likely cause?

Exhibit

[datamodel]
app = search
name = Authentication
[datamodel/Authentication/constraint]
sourcetype = auth_log
[datamodel/Authentication/fields/action]
type = string
Question 10mediummultiple choice
Full question →

Refer to the exhibit. A user runs a search with `| lookup excel_lookup product_id OUTPUT sales_rep`. For a product_id that exists in the CSV but with a different case (e.g., "ABC123" vs "abc123"), what will be the value of the `sales_rep` field after the lookup?

Exhibit

[excel_lookup]
filename = sales_data.csv
max_matches = 1
default_match = N/A
case_sensitive_match = true
Question 11hardmultiple choice
Full question →

Refer to the exhibit. The lookup `usertable` has fields: user, role, department. The search returns an error: "Error in 'where' command: Field 'role' is not defined." What is the most likely cause?

Exhibit

| inputlookup usertable
| where role="admin"
| stats count by department
Question 12hardmultiple choice
Full question →

Refer to the exhibit. The dashboard panel is not displaying data when the input changes. What is the most likely cause?

Exhibit

<form>
  <label>Example Dashboard</label>
  <fieldset submitButton="false">
    <input type="dropdown" token="source" searchWhenChanged="true">
      <label>Source</label>
      <choice value="access_combined">Web Access</choice>
      <choice value="secure">Secure</choice>
    </input>
  </fieldset>
  <row>
    <panel>
      <chart>
        <search>
          <query>index=main sourcetype=$token$ | timechart count by host</query>
        </search>
      </chart>
    </panel>
  </row>
</form>
Question 13mediummultiple choice
Full question →

Refer to the exhibit. What does the log entry indicate about the search job?

Exhibit

Refer to the exhibit.

```
2023-09-15 10:30:00,000 INFO  SearchContext - Search job created: job_id=1234567890
2023-09-15 10:30:01,500 INFO  IndexProcessor - Processing results for index=_internal
2023-09-15 10:30:02,000 WARN  SearchExecutor - Search job 1234567890 completed with partial results due to time limit
```
Question 14hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. An administrator notices that searches against the 'sample_index' index return events older than 24 hours, while searches against other indexes do not. What is the most likely explanation?

Exhibit

Refer to the exhibit.

```
[default]
maxGlobalTimeFieldSec = 3600

[sample_index]
repFactor = auto
maxGlobalTimeFieldSec = 604800
```
Question 15easymultiple choice
Full question →

Refer to the exhibit. A user reports they cannot log in to Splunk Web and sees this error in the logs. What is the most likely cause?

Exhibit

Refer to the exhibit.

```
2023-10-01 12:00:00,000 ERROR  [SplunkWeb] - CSRF token validation failed. Request rejected.
```

These SPLK-1002 practice questions are part of Courseiva's free Splunk certification practice question bank. Courseiva provides original exam-style SPLK-1002 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.