SPLK-1002 · topic practice

Basic Searching and Transforming Commands practice questions

Practise Splunk Core Certified User SPLK-1002 Basic Searching and Transforming Commands practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Basic Searching and Transforming Commands

What the exam tests

What to know about Basic Searching and Transforming Commands

Basic Searching and Transforming Commands questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Basic Searching and Transforming Commands exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Basic Searching and Transforming Commands questions

20 questions · select your answer, then reveal the explanation

A security analyst needs to identify the top 5 source IP addresses generating the most web traffic. Which command should be used?

An administrator wants to count events by status code and show only codes with more than 100 events. Which search correctly accomplishes this?

A search returns events with a field 'duration' in milliseconds. The analyst wants to create a new field 'duration_sec' that divides duration by 1000. Which command accomplishes this?

A search returns 1,000 events. The analyst wants to see the first 10 events sorted by the '_time' field in descending order. Which search is correct?

An analyst wants to remove duplicate events based on the 'user' field, keeping only the first occurrence. Which command should be used?

A search includes the command '| stats dc(user) by host'. What does this command return?

Which TWO commands can be used to filter events based on a field value? (Choose two.)

Which THREE of the following are valid uses of the 'eval' command? (Choose three.)

How many events will be output by this search?

Exhibit

Refer to the exhibit.

| makeresults count=5
| eval user = mvappend("alice","bob","charlie")
| mvexpand user
| stats count by user

What is the purpose of this search?

Exhibit

Refer to the exhibit.

index=web sourcetype=access_combined
| stats count by status
| sort - count
| head 5
Question 11hardmultiple choice
Read the full NAT/PAT explanation →

A large e-commerce company uses Splunk to monitor their web application. The operations team has noticed that the search for tracking user sessions is taking too long and consuming excessive resources. The current search is:

index=web sourcetype=access_combined | stats count by clientip, sessionid, productid | sort - count

The index contains over 10 billion events per day. The team wants to reduce the search time while still being able to identify the top 10 most active sessions (combinations of clientip and sessionid) that involve more than 5 product views. They also need to exclude any sessions that originated from internal IPs (10.0.0.0/8). Which approach would achieve this most efficiently?

Which TWO of the following statements about the `stats` command in Splunk are correct? (Choose two.)

Question 13hardmultiple choice
Read the full NAT/PAT explanation →

Refer to the exhibit. A security analyst runs the search and sees the result table. The analyst wants to see only the top 3 URI paths with their counts, without the percentage column. Which command modification achieves this?

Exhibit

Refer to the exhibit.

Search:
`index=web sourcetype=access_combined | top limit=5 uri_path`

Result table:
uri_path          count   percent
/                 4523    23.45
/login            2341    12.14
/products         1890    9.80
/about            1234    6.40
/contact          987     5.12

A junior Splunk user is tasked with investigating slow search performance in a large Splunk environment. The user runs a search over a week of data from the main index (containing 500 GB of data per day) using the following command: `index=main | search error | stats count by host`. The search takes over 10 minutes to complete. The user wants to improve search performance while still getting accurate results. Which of the following actions should the user take first?

Which three of the following are valid uses of the `stats` command in Splunk? (Choose three.)

Which three of the following statements about the `eval` command in Splunk are correct? (Choose three.)

Which of the following statements about the `top` and `rare` commands in Splunk are correct? Choose all that apply. (There are four correct answers.)

Drag and drop the steps to configure a Splunk forwarder to send data to an indexer into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Drag and drop the steps to create a Splunk dashboard with a single panel into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Match each Splunk role to its typical permission scope.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Full system access including settings and users

Create and share knowledge objects and run searches

Run searches and create personal knowledge objects

Ability to delete events from indexes

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Basic Searching and Transforming Commands sessions

Start a Basic Searching and Transforming Commands only practice session

Every question in these sessions is drawn from the Basic Searching and Transforming Commands domain — nothing else.

Related practice questions

Related SPLK-1002 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SPLK-1002 exam test about Basic Searching and Transforming Commands?
Basic Searching and Transforming Commands questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Basic Searching and Transforming Commands questions in a focused session?
Yes — the session launcher on this page draws every question from the Basic Searching and Transforming Commands domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SPLK-1002 topics?
Use the topic links above to move to related areas, or go back to the SPLK-1002 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SPLK-1002 exam covers. They are not copied from any real exam or dump site.