Basic Searching and Transforming Commands practice questions
Practise Splunk Core Certified User SPLK-1002 Basic Searching and Transforming Commands practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.
Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.
An administrator wants to count events by status code and show only codes with more than 100 events. Which search correctly accomplishes this?
Trap 1: | stats count by status | where count > 100
Correct logic but syntax missing field name; should be 'where count > 100' is actually valid, but option D is more correct? Actually both C and D are similar but D includes rename.
Trap 2: | eval count=1 | stats sum(count) by status | where count > 100
Unnecessarily complex and eval not needed.
Trap 3: | where count > 100 | stats count by status
where count refers to a field that doesn't exist yet.
Why wrong: Correct logic but syntax missing field name; should be 'where count > 100' is actually valid, but option D is more correct? Actually both C and D are similar but D includes rename.
B
| eval count=1 | stats sum(count) by status | where count > 100
Why wrong: Unnecessarily complex and eval not needed.
C
| stats count as cnt by status | where cnt > 100
Correct: stats counts by status, then filters on the count field.
D
| where count > 100 | stats count by status
Why wrong: where count refers to a field that doesn't exist yet.
A search returns events with a field 'duration' in milliseconds. The analyst wants to create a new field 'duration_sec' that divides duration by 1000. Which command accomplishes this?
A large e-commerce company uses Splunk to monitor their web application. The operations team has noticed that the search for tracking user sessions is taking too long and consuming excessive resources. The current search is:
The index contains over 10 billion events per day. The team wants to reduce the search time while still being able to identify the top 10 most active sessions (combinations of clientip and sessionid) that involve more than 5 product views. They also need to exclude any sessions that originated from internal IPs (10.0.0.0/8). Which approach would achieve this most efficiently?
Trap 1: Use 'eventstats count by clientip, sessionid' and then filter where…
eventstats does not reduce events, still processes all.
Trap 2: Use the 'transaction' command to group events by clientip and…
Transaction is more resource-intensive than stats.
Trap 3: Add a 'where' command after stats to filter out internal IPs and…
Internal IPs are not filtered early, still processes all data.
Refer to the exhibit. A security analyst runs the search and sees the result table. The analyst wants to see only the top 3 URI paths with their counts, without the percentage column. Which command modification achieves this?
Exhibit
Refer to the exhibit.
Search:
`index=web sourcetype=access_combined | top limit=5 uri_path`
Result table:
uri_path count percent
/ 4523 23.45
/login 2341 12.14
/products 1890 9.80
/about 1234 6.40
/contact 987 5.12
Trap 1: `index=web sourcetype=access_combined | top limit=3 uri_path |…
This works but is less efficient than using `showperc=f`.
Trap 2: `index=web sourcetype=access_combined | top uri_path | head 3`
`head` would work but still shows percent column. More importantly, `top` without limit shows all results, which is inefficient.
Trap 3: `index=web sourcetype=access_combined | top limit=3 uri_path`
This shows top 3 but still includes the percent column.
A junior Splunk user is tasked with investigating slow search performance in a large Splunk environment. The user runs a search over a week of data from the main index (containing 500 GB of data per day) using the following command: `index=main | search error | stats count by host`. The search takes over 10 minutes to complete. The user wants to improve search performance while still getting accurate results. Which of the following actions should the user take first?
Trap 1: Use the `transaction` command to group related events before…
`transaction` is resource-intensive and would increase search time.
Trap 2: Replace `stats count by host` with `top limit=5 host` to limit…
This reduces output but not the initial data scanned; the main bottleneck is the broad search.
Trap 3: Add a `summarize` command before `stats` to pre-aggregate data.
`summarize` is not a Splunk command; the correct approach is to filter earlier.
What does the SPLK-1002 exam test about Basic Searching and Transforming Commands?
Basic Searching and Transforming Commands questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Basic Searching and Transforming Commands questions in a focused session?
Yes — the session launcher on this page draws every question from the Basic Searching and Transforming Commands domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SPLK-1002 topics?
Use the topic links above to move to related areas, or go back to the SPLK-1002 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SPLK-1002 exam covers. They are not copied from any real exam or dump site.