Back to Splunk Core Certified User SPLK-1002 questions

Scenario-based practice

Troubleshooting Scenario Questions

Practise Splunk Core Certified User SPLK-1002 practice questions — original exam-style scenarios covering every exam domain, with detailed explanations, wrong-answer analysis, and common exam traps.

8
scenario questions
SPLK-1002
exam code
Splunk
vendor

Scenario guide

How to approach troubleshooting scenario questions

These questions describe a network symptom and ask you to identify the root cause or the correct fix. They appear across all certification exams and reward systematic thinking over memorisation. The best candidates follow a consistent troubleshooting framework even under time pressure.

Quick answer

Troubleshooting Scenario Questions questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Related practice questions

Related SPLK-1002 topic practice pages

Scenario questions usually connect to one or more exam topics. Use these links to review the underlying concepts behind the scenario.

Practice set

Practice scenarios

Question 1mediummultiple choice
Full question →

A security analyst wants to investigate a suspicious IP address that appeared in multiple log sources. Which Splunk feature is best suited to quickly find all events containing that IP across all indexed data?

Question 2mediumdrag order
Full question →

Drag and drop the steps to troubleshoot a Splunk search that returns no results into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5
Question 3hardmultiple choice
Full question →

A team has created a data model based on sourcetypes from different sources. Some fields are not populating correctly in Pivot. Which of the following is the most effective troubleshooting step?

Question 4hardmulti select
Full question →

Which THREE are valid considerations when troubleshooting data model acceleration? (Choose three.)

Question 5hardmultiple choice
Full question →

A Splunk admin is troubleshooting a slow report that uses an accelerated data model. The report uses tstats commands and filters on a field that is not a constraint field in the data model. Which of the following best explains why the report is slow?

Question 6hardmulti select
Full question →

A Splunk administrator is troubleshooting a time-based lookup that is supposed to match events to a lookup table that changes over time. The lookup is defined with time_field 'start_time' and time_format '%Y-%m-%d %H:%M:%S'. Which THREE conditions must be met for the time-based lookup to correctly match an event to a single row in the lookup table? (Choose three.)

Question 7hardmultiple choice
Full question →

A Splunk administrator is troubleshooting a slow search on firewall logs. The index is 'firewall', sourcetype is 'cisco:asa', and there is about 500 GB of data per day. The search is: index=firewall sourcetype=cisco:asa action=block | stats count by src_ip | where count > 1000. This search takes over 5 minutes to return results. The administrator needs the same results faster. The index has a data model named 'firewall_dm' that is accelerated with a summary range of 7 days. Which change to the search will improve performance the most while still returning the same results?

Question 8hardmultiple choice
Full question →

A company uses Splunk to monitor web server logs. They have a lookup table that maps IP addresses to geographic locations (city, country). The lookup is defined as a CSV file with fields: ip, city, country. The lookup definition is named 'geo'. The team wants to automatically add city and country to every web event at index time, so that all future searches have this enrichment without adding the lookup command. The team tries to set up an automatic lookup in props.conf for the sourcetype 'web_access', but the city and country fields still do not appear in the events. They verify that the lookup file exists and that the lookup definition works when used manually with the lookup command. What is the most likely cause of the automatic lookup not working?

These SPLK-1002 practice questions are part of Courseiva's free Splunk certification practice question bank. Courseiva provides original exam-style SPLK-1002 questions with detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics.