CCNA Fields Lookups Questions

75 of 124 questions · Page 1/2 · Fields Lookups topic · Answers revealed

1
MCQhard

A company uses Splunk to monitor web server logs. They have a lookup table that maps IP addresses to geographic locations (city, country). The lookup is defined as a CSV file with fields: ip, city, country. The lookup definition is named 'geo'. The team wants to automatically add city and country to every web event at index time, so that all future searches have this enrichment without adding the lookup command. The team tries to set up an automatic lookup in props.conf for the sourcetype 'web_access', but the city and country fields still do not appear in the events. They verify that the lookup file exists and that the lookup definition works when used manually with the lookup command. What is the most likely cause of the automatic lookup not working?

A.Index-time lookups are not supported; enrichment can only be done at search time
B.The lookup file must be in KV Store format for index-time lookups
C.The lookup must be invoked with the 'lookup' command in the search to populate the fields
D.The automatic lookup definition in props.conf is not correctly configured for the intended sourcetype
AnswerD

If the props.conf stanza does not match the sourcetype, the lookup will not be applied.

Why this answer

Option D is correct because the automatic lookup definition in props.conf must be correctly configured for the intended sourcetype. The most common misconfiguration is specifying the wrong sourcetype or incorrect syntax in the TRANSFORMS directive, which prevents the lookup from being applied at index time. Since the lookup works manually, the issue is with the props.conf configuration, not the lookup file or definition itself.

Exam trap

The trap here is that candidates assume automatic lookups work identically to search-time lookups, but they require explicit configuration in props.conf and transforms.conf, and any syntax error or sourcetype mismatch will silently fail.

How to eliminate wrong answers

Option A is wrong because index-time lookups are supported in Splunk via the TRANSFORMS directive in props.conf, which can enrich events at index time. Option B is wrong because index-time lookups can use CSV files; KV Store is not required. Option C is wrong because automatic lookups are designed to apply without needing the 'lookup' command in searches; they are configured in props.conf and applied at index time.

2
MCQhard

A security team uses a KV Store lookup to track threat intelligence indicators (IPs, domains) with a field 'indicator' and a field 'threat_type'. They regularly update the KV Store with new indicators. The team notices that searches using the lookup are very slow when the KV Store contains over 100,000 entries. They want to improve lookup performance without losing the ability to update frequently. Which approach should they take?

A.Split the KV Store into multiple smaller KV Stores based on threat_type
B.Convert the KV Store to a CSV file and use the lookup command
C.Add an index on the 'indicator' field in the KV Store collection to speed up lookup queries
D.Increase the memory allocation for the Splunk search head
AnswerC

Indexing the lookup field reduces search time when matching events.

Why this answer

Option C is correct because adding an index on the 'indicator' field in the KV Store collection allows Splunk to perform faster lookups by using a B-tree or similar index structure, reducing the need for a full collection scan. This directly addresses the performance degradation seen with over 100,000 entries while still supporting frequent updates, as indexes are maintained dynamically.

Exam trap

Splunk often tests the misconception that splitting data or increasing hardware resources is the primary solution for performance issues, when in fact proper indexing is the correct database optimization technique for KV Store lookups.

How to eliminate wrong answers

Option A is wrong because splitting the KV Store into multiple smaller stores based on threat_type would require the search to query multiple collections or use a union, adding complexity and potentially still scanning all entries if the indicator is not tied to a specific threat_type. Option B is wrong because converting to a CSV file and using the lookup command would remove the ability to update frequently (CSV files are static unless regenerated) and would not improve performance for large datasets, as CSV lookups are loaded entirely into memory. Option D is wrong because increasing memory allocation for the Splunk search head does not optimize the KV Store lookup itself; it may help with overall search performance but does not address the root cause of slow KV Store queries, which is the lack of an index on the lookup field.

3
Drag & Dropmedium

Drag and drop the steps to configure Splunk to use LDAP authentication into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

LDAP setup involves selecting the method, configuring server details, mapping groups, and testing.

4
MCQmedium

A user wants to replace a field value 'ERROR' with 'Error' in search results. Which command should be used within a search to achieve this transformation?

A.rex field=_raw 's/ERROR/Error/g'
B.eval severity=replace(severity, "ERROR", "Error")
C.lookup severity_lookup severity OUTPUT new_severity
D.convert ctime(_time)
AnswerB

eval with replace function modifies the field value.

Why this answer

Option B is correct because the `replace` function in the `eval` command performs a case-sensitive string replacement on a specific field. In this case, it replaces the exact string 'ERROR' with 'Error' in the `severity` field, which is the precise transformation requested. Unlike `rex`, `replace` does not require regex syntax and directly modifies the field value without affecting other parts of the event.

Exam trap

Splunk often tests the distinction between `rex` (which modifies raw text or a field using regex) and `eval` with `replace` (which performs a simple string replacement on a specific field), leading candidates to choose `rex` when a field-level substitution is needed.

How to eliminate wrong answers

Option A is wrong because `rex field=_raw 's/ERROR/Error/g'` applies a regex substitution to the entire `_raw` field, not to a specific field like `severity`, and it would modify all occurrences of 'ERROR' in the raw event text, which is not the requested transformation. Option C is wrong because a lookup command is used to enrich events with external data or map values from a CSV or KV store, not to perform a simple string replacement within a field. Option D is wrong because `convert ctime(_time)` converts a timestamp from epoch format to a human-readable time string, which has nothing to do with replacing a field value.

5
MCQeasy

An analyst runs a search and notices that a field `status_code` contains values like '200', '404', '500'. They want to categorize these as 'Success' or 'Error'. Which approach is most efficient?

A.Use the csv file as a lookup and inputlookup to filter.
B.Use eval with case function to map status codes to categories directly in the search.
C.Create a lookup table with status codes and categories, then use the lookup command.
D.Use the rename command to change field values.
AnswerB

Eval case is efficient and easy to write for simple mappings.

Why this answer

Option B is correct because using `eval` with `case` is the most efficient approach for a simple, static mapping of status codes to categories directly within the search pipeline. It avoids the overhead of disk I/O and lookup table management, and it executes entirely in memory on the search head or indexer, making it ideal for small, hardcoded mappings.

Exam trap

Splunk often tests the distinction between `eval` with `case` (inline transformation) and lookup-based approaches, trapping candidates who over-engineer a solution by choosing a lookup when a simple `eval` is more efficient and appropriate.

How to eliminate wrong answers

Option A is wrong because `inputlookup` is used to load an entire lookup file into the search, not to filter or map field values; it would require a separate lookup table and adds unnecessary complexity. Option C is wrong because creating a lookup table and using the `lookup` command introduces file-based I/O and is overkill for a simple static mapping that can be done inline with `eval`. Option D is wrong because `rename` only changes the name of a field, not its values, so it cannot transform '200' into 'Success'.

6
MCQhard

A user runs a search and uses `| lookup mylookup myfield OUTPUT myfield2`. The search returns events that have myfield values, but myfield2 is null. The lookup file has matching entries. What is the most likely issue?

A.The lookup definition is case-sensitive and the event values have different case.
B.The lookup definition is missing the max_matches setting.
C.The lookup file has duplicate keys.
D.The lookup command should use OUTPUTNEW instead of OUTPUT.
AnswerA

Case mismatch prevents matching.

Why this answer

Option A is correct because the lookup definition in Splunk has a case-sensitivity setting. By default, lookups are case-insensitive, but if the lookup definition is configured to be case-sensitive, then the lookup will only match when the case of the event field value exactly matches the case in the lookup file. Since the events have myfield values but myfield2 is null, the lookup is failing to match due to case differences, even though the lookup file has matching entries.

Exam trap

Splunk often tests the nuance between case-sensitive and case-insensitive lookups, and the trap here is that candidates assume lookups are always case-insensitive by default, forgetting that the lookup definition can be explicitly configured for case-sensitive matching.

How to eliminate wrong answers

Option B is wrong because the max_matches setting controls the maximum number of rows returned per input value, not whether a match occurs; a missing max_matches setting would not cause null output for matching entries. Option C is wrong because duplicate keys in the lookup file would cause multiple matches, not null values; Splink would still return a value for myfield2, possibly the first match. Option D is wrong because OUTPUTNEW is used to prevent overwriting existing field values, but the issue here is that myfield2 is null, meaning no match was found; using OUTPUTNEW would not change the outcome if the lookup fails to match.

7
Multi-Selectmedium

Which THREE statements about Splunk lookups are true?

Select 3 answers
A.Lookups are automatically applied to all events in a search.
B.Lookups can only be performed on a single field.
C.Lookups can be defined in the Lookups section of Settings.
D.Lookups can be configured to run automatically when a field appears in an event.
E.Lookups can be used to add field values from an external source to your search results.
AnswersC, D, E

Lookup definitions are managed in Settings > Lookups.

Why this answer

Option C is correct because Splunk lookups are defined and managed in the Lookups section under Settings > Lookups, where you can upload lookup files, create lookup definitions, and configure automatic lookups. This is the central location for all lookup configuration, including CSV files, KV store collections, and external lookups.

Exam trap

Splunk often tests the misconception that lookups are automatically applied to all events, when in fact they require explicit invocation or automatic lookup configuration tied to specific fields.

8
MCQeasy

Which command reads a lookup file and outputs it as search results?

A.| inputlookup mylookup.csv
B.| outputlookup mylookup.csv
C.| lookup mylookup.csv
D.| lookup definition mylookup
AnswerA

inputlookup outputs lookup contents.

Why this answer

The `| inputlookup mylookup.csv` command reads the specified lookup file (mylookup.csv) from the lookups directory and outputs its contents as search results, making it the correct choice. This command is specifically designed to load a static lookup table into the search pipeline for further processing or inspection.

Exam trap

The trap here is confusing `inputlookup` (which reads and outputs lookup data) with `lookup` (which enriches events) or `outputlookup` (which writes data), leading candidates to choose the wrong command for simply viewing a lookup file's contents.

How to eliminate wrong answers

Option B is wrong because `| outputlookup mylookup.csv` writes search results to a lookup file, not reads it. Option C is wrong because `| lookup mylookup.csv` is invalid syntax; the correct command to enrich events with lookup data is `| lookup mylookup.csv field1 OUTPUT field2` (or similar), and it does not output the lookup file as standalone results. Option D is wrong because `| lookup definition mylookup` retrieves the definition of a lookup configuration (e.g., from transforms.conf), not the data itself.

9
MCQmedium

Your team uses a large CSV lookup 'users.csv' with 200,000 rows. When running searches that use this lookup via the lookup command, performance is slow. Which action would most improve performance?

A.Switch to an external lookup that queries a database
B.Increase the lookup timeout value
C.Add an index to the lookup file by converting to KV Store
D.Increase the max_matches setting for the lookup
AnswerC

KV Store allows indexing on fields, speeding up lookups.

Why this answer

Option B is correct because creating an index on the lookup fields (like using a KV Store or using a time-based lookup with indexed fields) can speed up matching. Alternatively, filtering the lookup before joining reduces rows processed. Option A is wrong because maxmatches is only useful if there are multiple matches.

Option C is wrong because changing to external lookup adds overhead. Option D is wrong because increasing timeout doesn't improve performance.

10
MCQmedium

A team has a lookup table 'app_errors.csv' that includes a field 'error_code'. They want to automatically join error descriptions from 'error_codes.csv' on 'error_code' every time they search a sourcetype. What is the best way to achieve this?

A.Set up an automatic lookup in props.conf for the sourcetype
B.Use an eval statement with if() to assign description
C.Configure field aliases to rename 'error_code'
D.Use the lookup command in every search
AnswerA

Automatic lookups run on all events matching the sourcetype.

Why this answer

Option A is correct because an automatic lookup in props.conf allows you to define a lookup that runs automatically on every search for a given sourcetype, without requiring manual invocation. This configuration joins the 'error_code' field from the search results with the 'error_codes.csv' lookup table, appending the description field to every event of that sourcetype. It is the most efficient and consistent method for automatically enriching data at search time.

Exam trap

Splunk often tests the distinction between automatic lookups (configured in props.conf) and manual lookups (using the lookup command), and the trap here is that candidates may choose the manual lookup command because they are familiar with it, overlooking the requirement for automation.

How to eliminate wrong answers

Option B is wrong because using an eval statement with if() would require manually coding conditional logic for each possible error_code, which is impractical for a large or dynamic set of codes and does not leverage the lookup table. Option C is wrong because field aliases only rename fields, they do not perform joins or enrich data with descriptions from another table. Option D is wrong because using the lookup command in every search requires users to remember and type the command each time, which is error-prone and inconsistent, whereas the requirement is for automatic joining on every search of the sourcetype.

11
MCQhard

You are a Splunk admin for a large enterprise with multiple distributed Splunk components. The security team frequently runs searches that use a large CSV lookup file (500MB) containing threat intelligence indicators. They report that searches are slow and sometimes time out. The lookup file is updated hourly via an automated script. The team currently uses the 'lookup' command in every search. You need to improve performance without sacrificing data freshness. Your environment has a search head cluster and indexer cluster. The lookup file is stored on a shared filesystem accessible to all search heads. Which single approach will best improve search performance while maintaining hourly updates?

A.Configure the lookup as a time-based lookup with a filter condition to only apply to events with matching IP fields, and use automatic lookup to avoid manual command.
B.Increase the search concurrency limit on the search head to allow more parallel lookups.
C.Convert the CSV to a KV Store collection and use the 'lookup' command with the KV Store lookup.
D.Move the CSV file to each indexer and use index-time field lookup.
AnswerA

Time-based lookups and filtering reduce the number of events processed, improving speed.

Why this answer

Option A is correct because configuring the lookup as a time-based lookup with a filter condition reduces the number of events that need to be matched against the 500MB CSV, and using an automatic lookup eliminates the need for the manual 'lookup' command in every search. This approach improves performance by limiting the lookup scope to relevant events (e.g., only those with matching IP fields) while still allowing the hourly script to update the CSV file, maintaining data freshness.

Exam trap

The trap here is that candidates often assume that moving data to indexers (Option D) or using KV Store (Option C) will always improve performance, without considering the overhead of index-time operations or the limitations of KV Store for large, frequently updated datasets.

How to eliminate wrong answers

Option B is wrong because increasing search concurrency does not address the root cause of slow lookups; it only allows more searches to run simultaneously, which can actually degrade performance further by increasing resource contention. Option C is wrong because converting to a KV Store collection would require significant re-engineering and may not support the same hourly update mechanism; KV Store lookups are typically used for smaller, frequently updated datasets and can introduce latency for large files. Option D is wrong because moving the CSV to each indexer for index-time field lookup would require rebuilding the index for every hourly update, which is impractical and would cause significant indexing delays, defeating the purpose of maintaining data freshness.

12
Multi-Selecthard

A Splunk administrator is troubleshooting a time-based lookup that is supposed to match events to a lookup table that changes over time. The lookup is defined with time_field 'start_time' and time_format '%Y-%m-%d %H:%M:%S'. Which THREE conditions must be met for the time-based lookup to correctly match an event to a single row in the lookup table? (Choose three.)

Select 3 answers
A.The lookup table must have exactly one row per unique time value
B.The lookup must be defined as an automatic lookup in props.conf
C.The lookup definition must specify the time format used in the time_field column
D.The event's timestamp (or a specified time field) must fall between the start_time and the end_time of a row
E.The event must match at most one row in the lookup table for the given time range
AnswersC, D, E

The time_format must match the format in the lookup file for correct parsing.

Why this answer

Option C is correct because the lookup definition must specify the time format used in the time_field column so that Splunk can correctly parse the time values in the lookup table. Without this format specification, Splunk cannot interpret the timestamps and the time-based matching will fail.

Exam trap

The trap here is that candidates often think a time-based lookup requires exactly one row per time value (Option A) or that it must be defined as an automatic lookup (Option B), but the core requirements are the time format specification, the time range containment, and the single-row match constraint.

13
MCQeasy

A user has a lookup file containing employee email addresses and department names. They want to add the department field to search results containing the employee's email. Which command should they use?

A.inputlookup employee_department.csv
B.lookup employee_department.csv email OUTPUT department
C.eval department=employee_department(email)
D.outputlookup employee_department.csv
AnswerB

Lookup joins on the email field and outputs the department field into search results.

Why this answer

The `lookup` command is designed to enrich search results by matching a field in the events (e.g., email) against a lookup table (e.g., employee_department.csv) and outputting additional fields (e.g., department). Option B correctly uses the syntax `lookup employee_department.csv email OUTPUT department`, which performs a field-based lookup and appends the department field to matching events.

Exam trap

The trap here is that candidates confuse `inputlookup` (which reads the file as events) with `lookup` (which enriches existing events), leading them to choose option A when they need field enrichment.

How to eliminate wrong answers

Option A is wrong because `inputlookup` loads the entire lookup file as search results, not as a field enrichment tool; it would return all rows from the CSV instead of adding the department field to existing events. Option C is wrong because `eval` cannot perform a lookup; it is used for field calculations and transformations, not for retrieving data from external files. Option D is wrong because `outputlookup` writes search results to a lookup file, which is the opposite of what is needed—it does not add fields to events.

14
MCQhard

An organization uses a KV Store lookup to maintain a list of known malicious IPs. The lookup is updated every 5 minutes via a script. Analysts complain that their searches sometimes miss recent additions. What is the most likely cause?

A.The lookup is configured as time-based and is out of range
B.The IP addresses are case-sensitive and messy
C.The search does not include the _raw field
D.The KV Store lookup is cached and not refreshed between searches
AnswerD

Caching can cause latency; disable caching or force refresh.

Why this answer

Option B is correct because by default, KV Store lookups are cached and only reloaded when the cache expires or at search time. If the cache is stale, recent updates may not be seen. Option A is wrong because field filtering doesn't affect lookup content.

Option C is wrong because lookup is case-sensitive by default. Option D is wrong because time-based lookups are not for KV Store.

15
MCQeasy

An analyst runs a search and needs to view only events where the 'status' field has a value of 'failed'. Which command should be used?

A.table status
B.search status=failed
C.eval status = "failed"
D.where status = "failed"
AnswerD

where filters events based on field values.

Why this answer

Option D is correct because the `where` command in Splunk allows you to filter events based on a field value using a comparison expression. In this case, `where status = "failed"` evaluates each event and retains only those where the `status` field exactly matches the string "failed". This is the appropriate command when you need to filter results after the initial search has already been run, or when you need to use comparison operators that are not available in the `search` command.

Exam trap

Splunk often tests the distinction between the `search` command (which is implicit at the start of a search and uses key=value syntax) and the `where` command (which is used later in the pipeline and requires an expression with quotes around string values), causing candidates to mistakenly choose `search status=failed` when the context requires filtering after initial search processing.

How to eliminate wrong answers

Option A is wrong because `table status` only returns a table with the `status` field values, but does not filter events to show only those with a value of 'failed'. Option B is wrong because `search status=failed` is a valid search command but it is used at the beginning of a search pipeline to filter events before any other processing; the question implies the analyst is already running a search and needs to view only events where status is 'failed', which is better accomplished with `where` to avoid re-running the search. Option C is wrong because `eval status = "failed"` creates or overwrites the `status` field with the value "failed" for every event, rather than filtering events based on an existing field value.

16
MCQhard

Refer to the exhibit. The search returns a count for only a subset of user_ids, even though all user_ids exist in the lookup. What could explain this?

A.The stats command is grouping by user_id, which combines multiple events into one count per user.
B.The lookup definition must also include the OUTPUT fields in the definition for them to be used.
C.The lookup definition has max_matches=1, but some user_ids have multiple matches in the lookup file.
D.The events that are missing have different user_id representations (e.g., leading/trailing spaces) causing lookup failure, so first_name is null and they are filtered out.
AnswerD

If lookup fails, first_name is null, then where removes them, so they don't appear in stats.

Why this answer

Option D is correct because the lookup command matches user_id values exactly. If some events have user_id values with leading/trailing spaces or other subtle differences (e.g., case sensitivity), the lookup fails to match those events, resulting in null first_name values. The subsequent `stats count by first_name` then filters out those null values, so only the subset of user_ids that successfully matched appear in the results.

Exam trap

Splunk often tests the subtlety that lookup failures due to data quality issues (like whitespace or case) cause null output fields, which are then silently dropped by subsequent commands like `stats`, leading to incomplete results.

How to eliminate wrong answers

Option A is wrong because the stats command grouping by user_id would still count all user_ids, not just a subset; the issue is that some user_ids are missing entirely from the results. Option B is wrong because the lookup definition does not require OUTPUT fields to be listed in the definition for them to be used; OUTPUT fields can be specified inline in the search command. Option C is wrong because max_matches=1 controls how many matches are returned per input, not whether a match occurs; if multiple matches exist, the first match is still returned, so it would not cause some user_ids to be completely absent.

17
MCQmedium

Refer to the exhibit. The search returns no results for the 'country' field even though the lookup file exists and contains IP-to-country mappings. Which is the most likely issue?

A.The lookup command should be placed before the rex command.
B.The country field already exists in the events.
C.The lookup file is in the wrong directory.
D.The IP field extracted by rex is in a different format than the lookup key.
AnswerD

Format mismatch prevents matches.

Why this answer

The most likely issue is that the IP field extracted by the `rex` command is in a different format than the lookup key (e.g., the lookup expects an integer representation of the IP, or a different subnet notation, or the extracted field contains extra characters like whitespace or quotes). Lookups match based on exact string equality, so any mismatch in format (e.g., '192.168.1.1' vs '192.168.001.001' or '3232235521') will cause zero results, even if the lookup file is correctly configured and contains the mapping.

Exam trap

Splunk often tests the subtlety that a lookup can silently return zero results when the field format (e.g., IP as string vs integer, or with/without leading zeros) does not exactly match the lookup key, leading candidates to mistakenly blame file location or command order.

How to eliminate wrong answers

Option A is wrong because the `rex` command extracts the IP field from raw event data, and the `lookup` command must come after extraction to use that field; placing lookup before rex would mean the IP field does not yet exist. Option B is wrong because if the country field already existed in the events, the lookup would either overwrite it (depending on `output` parameters) or cause a field conflict, but it would not prevent the lookup from returning results—the issue is no results at all. Option C is wrong because if the lookup file were in the wrong directory, Splunk would generate a 'lookup table not found' error in the search job inspector, not simply return zero results without error.

18
MCQhard

A search uses a lookup that returns a field 'priority'. The admin wants to use the lookup only for events where the 'source' is 'firewall'. Which command should be used?

A.source=firewall | lookup priority_lookup source OUTPUT priority
B.| lookup priority_lookup source OUTPUT priority
C.| lookup priority_lookup source OUTPUT priority | where source="firewall"
D.| lookup priority_lookup source OUTPUT priority WHERE source="firewall"
AnswerA

Filters first, then lookup only on those events.

Why this answer

Option A is correct because it first filters events with `source=firewall` using a search-time field filter, then applies the `lookup` command only to those events. This ensures the lookup is performed exclusively on firewall events, minimizing resource usage and avoiding unnecessary lookups on other sources.

Exam trap

Splunk often tests the order of operations in the Splunk search pipeline, where candidates mistakenly think a `WHERE` clause inside the lookup command or a post-lookup filter achieves the same result as pre-filtering with a leading search term.

How to eliminate wrong answers

Option B is wrong because it applies the lookup to all events regardless of source, which does not restrict the lookup to firewall events as required. Option C is wrong because it applies the lookup to all events first and then filters with `where source="firewall"`, which wastes processing on non-firewall events and may cause incorrect results if the lookup modifies the source field. Option D is wrong because the `WHERE` clause in a lookup command is not a valid syntax for filtering events before the lookup; it is used to specify lookup file conditions, not to filter the base search results.

19
MCQeasy

A user wants to see the list of all fields that are extracted from a specific sourcetype. Which command should they use?

A.| rex field=_raw ...
B.| fields *
C.| eval fields=...
D.| fieldsummary
AnswerD

fieldsummary provides a summary of fields, including names.

Why this answer

The `fieldsummary` command provides a summary of all fields extracted from the events in the search results, including their count, distinct count, and percentage of events containing each field. When applied to a specific sourcetype, it lists every field that has been extracted from that sourcetype, making it the correct tool for this task.

Exam trap

Splunk often tests the distinction between commands that list fields (`fieldsummary`) versus commands that extract or manipulate fields (`rex`, `eval`, `fields`), leading candidates to confuse the purpose of `fields *` (which removes fields) with listing them.

How to eliminate wrong answers

Option A is wrong because `rex field=_raw ...` is used to extract new fields from raw event data using regular expressions, not to list existing fields. Option B is wrong because `fields *` removes all fields from the search results except those explicitly listed, which would hide the fields rather than show them. Option C is wrong because `eval fields=...` creates or modifies a single field named 'fields', not a list of all extracted fields.

20
Multi-Selectmedium

Which TWO of the following commands can be used to view the current fields in a search result?

Select 2 answers
A.| outputlookup mylookup.csv
B.| inputlookup mylookup.csv
C.| listfields
D.| fields
E.| fieldsummary
AnswersD, E

Shows all fields present.

Why this answer

The `| fields` command is used to keep or remove specific fields from search results, effectively showing you the current fields that exist in the result set. The `| fieldsummary` command produces a statistical summary of all fields present in the search results, including count, distinct count, and other metrics, thereby also allowing you to view the current fields.

Exam trap

Splunk often tests the distinction between commands that modify or filter fields versus commands that merely display or summarize field metadata, leading candidates to confuse `| outputlookup` or `| inputlookup` with field-viewing commands.

21
MCQmedium

A security team needs to enrich their authentication events with risk scores from a CSV file that maps username to risk_score. The CSV is updated daily and has 100,000 rows. Which lookup configuration is most appropriate?

A.Use a time-based lookup to match event time with lookup time
B.Set up an external lookup that calls a REST API
C.Create a KV Store lookup and update it via REST
D.Configure a CSV lookup and use lookup command in search
AnswerD

CSV lookups are efficient for large, periodically updated reference data.

Why this answer

Option D is correct because a CSV lookup is the simplest and most efficient way to enrich events with static data from a file that is updated daily. The `lookup` command can be used in search to match the username field from events to the username column in the CSV and add the risk_score field. For 100,000 rows, a CSV lookup is appropriate as it is loaded into memory and can be refreshed by replacing the file, without needing complex infrastructure.

Exam trap

Splunk often tests the distinction between static CSV lookups and dynamic KV Store lookups, and the trap here is that candidates over-engineer the solution by choosing a KV Store or external lookup when a simple CSV lookup is sufficient for a daily-updated static file.

How to eliminate wrong answers

Option A is wrong because time-based lookups are used for time-series data where the lookup value changes over time (e.g., historical asset ownership), not for a static CSV that maps username to risk_score; the CSV is updated daily as a whole file, not time-stamped per row. Option B is wrong because an external lookup that calls a REST API would introduce unnecessary latency and complexity for a simple static mapping, and it is typically used for real-time data enrichment from external systems, not for a daily CSV file. Option C is wrong because a KV Store lookup is a dynamic, writable store that requires REST API calls to update and is overkill for a static CSV that is replaced daily; it is better suited for frequently changing data that needs to be modified by multiple users or apps.

22
Multi-Selecteasy

Which TWO of the following must be true for the lookup to return results?

Select 2 answers
A.The events must contain a field named 'county'.
B.The events must contain a field named 'zip_code'.
C.The lookup must be configured with `inputlookup` instead of `lookup`.
D.The lookup file must contain a field named 'city'.
E.The lookup file must contain a field named 'zip_code'.
AnswersB, E

The events must have the input field for the lookup to match.

Why this answer

The lookup command matches events to the lookup file based on the input field (zip_code) and outputs additional fields (city, state). For the lookup to work, the events must contain a field named 'zip_code' (option B) and the lookup file must contain a field named 'zip_code' (option A). The other options are not requirements: county is not involved, the lookup file can have any fields, and `inputlookup` is a different command.

23
MCQhard

A Splunk administrator configured an automatic lookup as shown. When searching index=main source=/var/log/auth.log, the department field is not populated. What is the most likely cause?

A.The LOOKUP- stanza requires a numeric priority.
B.The transforms.conf file is not in the correct directory.
C.The user_lookup.csv file does not exist in the lookups directory.
D.The match_type syntax is incorrect and the field mapping is mismatched.
AnswerD

WILDCARD expects quotes and the field names must match.

Why this answer

Option D is correct because the most common cause for a lookup not populating a field is a mismatch between the field mapping in the transforms.conf stanza and the actual field names in the lookup table. If the match_type syntax is incorrect (e.g., using WILDCARD instead of EXACT or specifying the wrong field name), Splunk will fail to match events to lookup entries, leaving the department field empty.

Exam trap

The trap here is that candidates often assume the lookup file is missing or misconfigured (options A, B, or C) when the real issue is a subtle mismatch in field names or match_type syntax, which Splunk does not flag with an obvious error but simply returns no results.

How to eliminate wrong answers

Option A is wrong because the LOOKUP- stanza does not require a numeric priority; the priority is optional and only used when multiple lookups are defined for the same field to control evaluation order, not for basic functionality. Option B is wrong because the transforms.conf file must be in the correct directory (e.g., $SPLUNK_HOME/etc/system/local/ or an app's local/ directory), but if it were missing or misplaced, Splunk would not load the lookup definition at all, which would typically cause a different error (e.g., 'lookup table not found') rather than just an empty field. Option C is wrong because if the user_lookup.csv file did not exist in the lookups directory, Splunk would generate an error in the search log or the lookup would fail entirely, not silently leave the department field empty.

24
MCQhard

An analyst wants to automatically look up a field 'user_id' in a lookup file every time a search is run, without having to type the lookup command manually. Which approach is best?

A.Configure a lookup definition and set it as a default lookup for the index.
B.Add the lookup to the search command.
C.Create a regex extraction for user_id.
D.Use an alias to rename the field.
AnswerA

Automatically applied to all searches on the index.

Why this answer

Option A is correct because configuring a lookup definition and setting it as a default lookup for the index ensures that the lookup is automatically applied to every search run against that index, without requiring the user to manually include the `lookup` command. This is achieved by defining the lookup in the Lookups settings and then associating it with the index via the 'Default Lookup' setting in the Indexes configuration, which Splunk automatically appends to all searches on that index.

Exam trap

The trap here is that candidates often confuse 'default lookup' with 'automatic field extraction' or 'alias', thinking that extracting the field or renaming it will somehow trigger the lookup automatically, when in fact only a properly configured default lookup definition achieves this behavior.

How to eliminate wrong answers

Option B is wrong because adding the lookup to the search command requires the analyst to manually type the `lookup` command each time, which contradicts the requirement of automatic application without manual intervention. Option C is wrong because creating a regex extraction for user_id would only extract the field from raw events, but it would not perform a lookup to enrich the data with additional fields from an external file; regex extractions are for field extraction, not for lookups. Option D is wrong because using an alias to rename a field only changes the field name in the search results, but it does not perform a lookup or automatically enrich data with values from a lookup file.

25
MCQhard

A search includes a lookup that returns multiple values per event. The admin wants to see each matched value as a separate event. Which command should be used after the lookup?

A.mvexpand
B.untable
C.stats
D.makemv
AnswerA

mvexpand creates separate events for each multivalue entry.

Why this answer

The `mvexpand` command is correct because it takes a multivalue field (such as one created by a lookup returning multiple matches) and expands it into separate events, one for each value. This allows the admin to see each matched value as an individual event, which is exactly the requirement.

Exam trap

The trap here is that candidates often confuse `makemv` (which only creates a multivalue field) with `mvexpand` (which actually splits that field into separate events), leading them to choose `makemv` when the requirement is to see each value as a distinct event.

How to eliminate wrong answers

Option B is wrong because `untable` is used to transform data from a tabular format into a key-value pair format, not to expand multivalue fields into separate events. Option C is wrong because `stats` aggregates data (e.g., count, sum) and does not expand multivalue fields; it would collapse events rather than create new ones. Option D is wrong because `makemv` creates a multivalue field from a string (e.g., splitting by a delimiter), but it does not expand the values into separate events—it only changes the field's internal representation.

26
Multi-Selecteasy

Which TWO of the following are valid ways to extract fields in Splunk? (Choose two.)

Select 2 answers
A.Using a lookup to extract fields from raw data
B.Using the Extract New Fields dialog in the UI
C.Using the rex command in a search
D.Using the fields command
E.Using the regex command in a search
AnswersB, C

The UI's field extractor uses regex or delimiters.

Why this answer

Option B is correct because the 'Extract New Fields' dialog in the Splunk UI provides a graphical interface to define field extractions using regex patterns, which are then saved as inline or custom field extractions. Option C is correct because the 'rex' command is a dedicated search-time command that extracts fields from raw event data using named capturing groups in a regular expression.

Exam trap

The trap here is that candidates often confuse the 'fields' command (which filters existing fields) with field extraction commands, or mistakenly think 'regex' is a valid Splunk command when only 'rex' exists.

27
MCQmedium

A Splunk administrator receives a complaint that a saved search is slow. The search uses a lookup to enrich events with a CSV file that has 500,000 rows. Which optimization is most effective?

A.Sort events by the lookup key field before the lookup command.
B.Convert the CSV lookup to a KV store lookup for faster access.
C.Increase the search time range to process more events at once.
D.Filter events early using eval or where before applying the lookup.
AnswerD

Reducing the number of events that need to be looked up improves performance.

Why this answer

Option D is correct because filtering events early with `eval` or `where` reduces the volume of data that must be processed by the lookup command. Since lookups perform a row-by-row match against a 500,000-row CSV, minimizing the number of events before the lookup drastically cuts I/O and CPU overhead, making the search faster.

Exam trap

The trap here is that candidates often think sorting or converting to KV store will speed up lookups, but Splunk’s CSV lookups are not indexed and the KV store is designed for writes, not read-heavy static data, so early filtering is the only optimization that reduces the actual workload.

How to eliminate wrong answers

Option A is wrong because sorting events by the lookup key field does not reduce the number of events or improve lookup performance; Splunk’s lookup command does not require sorted input and sorting adds overhead. Option B is wrong because converting a CSV lookup to a KV store lookup does not inherently speed up access for a static, read-only dataset; KV store is optimized for dynamic, transactional updates, not bulk read performance, and the conversion adds complexity without guaranteed speed gains. Option C is wrong because increasing the search time range processes more events, which would slow the search further, not optimize it.

28
MCQmedium

A team uses a lookup to map IP addresses to geographic locations. The lookup is large and updated weekly. Which lookup type is best suited?

A.File-based CSV lookup
B.External lookup
C.Scripted lookup
D.KV store lookup
AnswerA

CSV lookups are simple, efficient for static data, and easy to update by replacing the file.

Why this answer

Option A is correct because file-based CSV lookups are ideal for static, regularly updated data. Option B is wrong because KV store is for real-time updates and dynamic data. Option C is wrong because external lookups require external scripts.

Option D is wrong because scripted lookups are for custom logic, not necessary here.

29
Multi-Selecteasy

Which TWO commands can be used to bring lookup data into a search?

Select 2 answers
A.outputlookup
B.inputlookup
C.csvlookup
D.filelookup
E.lookup
AnswersB, E

Loads lookup file as events.

Why this answer

The `inputlookup` command is used to load the contents of a static lookup table (CSV or KV store) into the search pipeline as events, making it available for further processing. The `lookup` command enriches search results by adding fields from a lookup table based on a field match, effectively bringing lookup data into the search context. Both commands allow lookup data to be used within a search, but in different ways: `inputlookup` loads the entire table as events, while `lookup` appends fields to existing events.

Exam trap

The trap here is that candidates confuse `outputlookup` (which exports data) with `inputlookup` (which imports data), and they may invent commands like `csvlookup` or `filelookup` that sound plausible but do not exist in Splunk's command set.

30
Multi-Selectmedium

Which of the following are true statements about using fields and lookups in Splunk? Choose all that apply. (There are four correct answers.)

Select 4 answers
.A lookup table can be used to add fields to events based on a match between a field in the event and a field in the lookup file.
.The `| lookup` command can be used to join a lookup table with search results, and it supports both CSV files and KV store collections.
.Extracted fields using the `| rex` command are automatically added to the field sidebar and can be used in searches without any additional configuration.
.Geospatial lookups require the lookup file to contain latitude and longitude coordinates and are typically used with the `| geom` command to visualize data on a map.
.The `| inputlookup` command is used to load the entire contents of a lookup file into search results, allowing you to inspect or aggregate on the lookup data directly.
.Field aliases defined in props.conf can rename a field in search results without altering the raw data, but they are not applied retroactively to events indexed in the past.

Why this answer

The first option is correct because lookup tables in Splunk allow you to add fields to events by matching a field in the event with a field in the lookup file, enriching the data. The second option is correct because the `| lookup` command supports both CSV files and KV store collections, enabling flexible data enrichment. The fourth option is correct because geospatial lookups require latitude and longitude coordinates and are used with the `| geom` command for map visualizations.

The fifth option is correct because `| inputlookup` loads the entire lookup file into search results, allowing direct inspection or aggregation of lookup data.

Exam trap

Splunk often tests the misconception that `| rex` extracted fields are automatically added to the field sidebar and searchable without additional configuration, but in reality they are transient within the search pipeline unless explicitly persisted.

31
Multi-Selectmedium

Which THREE of the following are true about lookups in Splunk? (Choose three.)

Select 3 answers
A.A lookup can be defined using a CSV file
B.Lookups are case-insensitive by default
C.Lookups can only return a single field
D.Lookups can be used to add fields from external sources
E.Lookups support time-based matching
AnswersA, D, E

CSV is a common lookup source.

Why this answer

Option A is correct because Splunk allows you to define a lookup using a static CSV file stored in the lookups directory of an app. This CSV file acts as a lookup table that maps fields in your events to additional fields, enabling field enrichment without modifying the original data.

Exam trap

The trap here is that candidates often assume lookups are case-insensitive by default, but Splunk actually treats them as case-sensitive unless explicitly configured otherwise, and they may also mistakenly think lookups can only return one field, overlooking the ability to return multiple columns from the lookup table.

32
Multi-Selectmedium

Which THREE statements about the 'rex' command are correct? (Choose three.)

Select 3 answers
A.rex can be used to extract fields from any string field
B.rex can extract fields using named capturing groups
C.rex can only extract one field per command
D.rex automatically converts extracted values to numeric
E.rex can be used to modify existing field values
AnswersA, B, E

Default field is _raw, but others can be specified.

Why this answer

Option A is correct because the 'rex' command can extract fields from any string field, not just the default `_raw` field. By specifying the `field` argument, you can target any field containing string data, such as `field=uri_path` or `field=host`, and use a regular expression to extract new fields from its value.

Exam trap

Splunk often tests the misconception that 'rex' can only extract one field per command, when in reality multiple named capturing groups in a single regex extract multiple fields simultaneously.

33
MCQhard

Refer to the exhibit. The search results show city and country fields from the GeoIP lookup. What does the automatic lookup use as the input field to match against the lookup table?

A.ip
B.All fields in the event
C.No input field, it directly appends all lookup fields
D.clientip
AnswerA

The automatic lookup uses the field name from the lookup table as the input field by default.

Why this answer

The automatic GeoIP lookup in Splunk uses the `ip` field as the default input field to match against the lookup table. This is because the GeoIP lookup is designed to map IP addresses to geographic locations, and the lookup table expects an IP address as the key. When you configure an automatic lookup, you specify the input field (e.g., `ip`) that corresponds to the lookup table's key field, allowing Splunk to enrich events with location data.

Exam trap

Splunk often tests the misconception that automatic lookups automatically use any IP-related field (like `clientip`) or that they append fields without a match, when in fact the default input field for GeoIP lookups is `ip` and must be explicitly configured if the IP data resides in a different field.

How to eliminate wrong answers

Option B is wrong because automatic lookups do not use all fields in the event; they require a specific input field defined in the lookup configuration to match against the lookup table. Option C is wrong because automatic lookups always require an input field to match against the lookup table; they do not directly append all lookup fields without a match condition. Option D is wrong because `clientip` is not the default input field for GeoIP lookups; while it could be used if explicitly configured, the standard GeoIP lookup uses the `ip` field as the input, and the exhibit shows the `ip` field being used in the search results.

34
MCQmedium

A user creates a calculated field that extracts the domain from email addresses using the expression `| rex field=email "(?P<domain>@\w+\.\w+)"`. However, the calculated field does not appear in search results. What is the most likely reason?

A.Calculated fields must be enabled in props.conf with REPORT clauses.
B.Calculated fields are only applied at search time, not index time.
C.The field extraction is incorrect.
D.Calculated fields must be used with the `eval` command.
AnswerA

Requires proper configuration.

Why this answer

Option A is correct because calculated fields in Splunk require explicit configuration in props.conf using a REPORT clause to define the extraction. Without this configuration, the calculated field is not available for use in searches, even if the extraction expression is valid. The user's calculated field definition is missing the necessary props.conf setup, so it never gets applied.

Exam trap

The trap here is that candidates assume a valid regex in a calculated field definition is sufficient for it to appear in results, overlooking the mandatory props.conf configuration step that Splunk requires for persistent field extractions.

How to eliminate wrong answers

Option B is wrong because calculated fields are applied at search time, not index time, which is actually the default behavior and does not prevent the field from appearing; the issue is the lack of props.conf configuration. Option C is wrong because the regular expression `(?P<domain>@\w+\.\w+)` is syntactically correct for extracting the domain from an email address, so the extraction itself is not the problem. Option D is wrong because calculated fields are defined in props.conf and do not require the `eval` command; `eval` is used for ad-hoc field creation in searches, not for persistent calculated fields.

35
MCQeasy

Which of the following best describes the purpose of the 'fields' command in a search?

A.To keep or remove specified fields from events
B.To rename existing fields
C.To add fields from a lookup table
D.To extract new fields from raw data
AnswerA

fields command includes or excludes fields.

Why this answer

The 'fields' command in Splunk is used to either keep (include) or remove (exclude) specified fields from search results. By default, all extracted fields are returned, but 'fields' allows you to narrow the output to only relevant fields (e.g., `fields clientip, status`) or to drop unwanted fields (e.g., `fields - _raw`). This improves readability and performance by reducing the data volume passed to subsequent commands.

Exam trap

The trap here is that candidates often confuse 'fields' with 'rex' or 'extract' for field creation, or with 'lookup' for field enrichment, because all involve manipulating fields but serve fundamentally different purposes.

How to eliminate wrong answers

Option B is wrong because renaming fields is done with the 'rename' command, not 'fields'. Option C is wrong because adding fields from a lookup table is accomplished using the 'lookup' command (or 'inputlookup'), not 'fields'. Option D is wrong because extracting new fields from raw data is performed by the 'rex' command (using regular expressions) or by using the 'extract' command (for delimited extractions), not by 'fields'.

36
MCQeasy

Which of the following is a default field that is automatically extracted by Splunk?

A.`department`
B.`error_code`
C.`user_id`
D.`host`
AnswerD

Default field.

Why this answer

The `host` field is a default field that Splunk automatically extracts from every event, typically derived from the hostname of the machine that generated the data. It is one of the three default fields (along with `source` and `sourcetype`) that Splunk uses to categorize and search events, and it is always available without any custom field extraction or configuration.

Exam trap

Splunk often tests the misconception that custom fields like `user_id` or `error_code` are automatically extracted, when in fact only the three metadata fields (`host`, `source`, `sourcetype`) are guaranteed to be present in every event without additional configuration.

How to eliminate wrong answers

Option A is wrong because `department` is not a default field; it is a custom field that would require explicit extraction via field extractions, lookups, or data preprocessing. Option B is wrong because `error_code` is not automatically extracted by Splunk; it is a field that must be defined through key-value extraction, regex, or structured data parsing. Option C is wrong because `user_id` is not a default field; it is typically extracted from application logs or authentication events and requires custom configuration or schema definition.

37
MCQhard

An analyst wants to use a lookup to enrich events only if a condition is met, e.g., only for events where `status=error`. Which search pattern is most efficient?

A.`index=main | lookup error_codes.csv code description | where status="error"`
B.`index=main | lookup error_codes.csv code description if(status="error")`
C.`index=main | where status="error" | lookup error_codes.csv code description`
D.`index=main | inputlookup error_codes.csv | where status="error"`
AnswerC

Filtering first reduces the events that need lookup, improving performance.

Why this answer

Option C is correct because it filters events with `where status="error"` before the `lookup` command, reducing the dataset that the lookup must process. This minimizes resource usage and improves search performance, as the lookup only runs against the relevant subset of events. In Splunk, placing filters early in the pipeline is a best practice for efficiency.

Exam trap

Splunk often tests the misconception that `inputlookup` can be used to enrich events, but it actually replaces the event stream with lookup contents, making it a common trap for candidates who confuse it with the `lookup` command.

How to eliminate wrong answers

Option A is wrong because it runs the lookup on all events and then filters with `where status="error"`, wasting resources on events that will be discarded. Option B is wrong because the `if()` function is not a valid argument for the `lookup` command; Splunk does not support conditional lookups with that syntax. Option D is wrong because `inputlookup` loads the entire lookup file as events, ignoring the original index data and failing to enrich events with the lookup fields.

38
MCQhard

An automatic lookup is configured but it is not enriching events. The lookup file is large (100MB) and is updated daily. What setting could improve performance?

A.Set `filter` in transforms.conf
B.Enable `batch_index_lookup = true`
C.Increase `max_matches`
D.Use `| lookup` instead of automatic
AnswerB

Speeds up lookups.

Why this answer

Option B is correct because enabling `batch_index_lookup = true` in transforms.conf allows Splunk to process the entire 100MB lookup file in a single batch operation rather than performing individual lookups for each event. This significantly reduces I/O overhead and improves performance for large, daily-updated lookup files by loading the entire lookup into memory once per batch.

Exam trap

The trap here is that candidates often confuse `batch_index_lookup` with other lookup optimizations like `filter` or `max_matches`, or assume that switching to a search-time `| lookup` command is always faster, when in fact the batch setting directly addresses the performance bottleneck of large automatic lookups.

How to eliminate wrong answers

Option A is wrong because setting `filter` in transforms.conf is used to restrict which events are processed by the lookup, not to improve performance for large files; it reduces the number of events but does not address the core issue of lookup file size or batch processing. Option C is wrong because increasing `max_matches` controls how many matching values are returned per event, not the performance of loading or querying a large lookup file; it can actually degrade performance by returning more results. Option D is wrong because using `| lookup` instead of automatic lookup would still perform individual lookups per event, which is less efficient than batch processing; the performance issue is not about the lookup method but about how the lookup is executed internally.

39
MCQhard

A user has a search that produces a chart of error counts by host. They want to add a calculated field 'error_rate' as errors per million events. Which approach is correct?

A.Use eventstats to get total counts, then eval to compute rate, then chart
B.Use chart eval(error_count/total_count) by host
C.Use stats to compute error_rate directly: stats avg(error_rate) by host
D.Use the lookup command to apply a calculated field
AnswerA

eventstats adds aggregate counts to each event.

Why this answer

Option A is correct because it uses `eventstats` to compute the total count of events per host across the entire result set, then `eval` to calculate the error rate as (error_count / total_count) * 1,000,000, and finally `chart` to display the results. This two-step approach ensures the total count is available for each row before the rate calculation, which is necessary because `chart` alone cannot reference a field computed in the same command.

Exam trap

Splunk often tests the distinction between `eventstats` and `stats`, where candidates mistakenly use `stats` to compute a rate in a single step, not realizing that `stats` collapses events and prevents per-row calculations without a separate `eventstats` pass.

How to eliminate wrong answers

Option B is wrong because `chart eval(error_count/total_count) by host` is invalid syntax; `chart` does not support an `eval` function inside its argument, and `total_count` is not defined in the search context. Option C is wrong because `stats avg(error_rate) by host` assumes `error_rate` already exists as a field, but it does not; also, `stats` cannot compute a rate from raw counts without first calculating those counts. Option D is wrong because the `lookup` command is used to enrich events with data from an external lookup table, not to compute calculated fields from existing event data.

40
MCQmedium

A security analyst runs a search for failed logins and wants to display the source IP address, username, and count of failures. However, the field 'src_ip' is not showing in the field picker. Which of the following is the most likely reason?

A.The field has no values in the results.
B.The user does not have permission to view the field.
C.The field is not extracted by default from the data source.
D.The field name contains a typo.
AnswerC

Fields must be explicitly extracted using 'rex' or 'extract' to appear in the field picker if not automatically recognized.

Why this answer

Option C is correct because in Splunk, fields like 'src_ip' are not automatically extracted from raw event data unless the data source has a predefined source type that includes field extraction rules (e.g., via a technology add-on or custom regex). If the field does not appear in the field picker, it typically means the search has not extracted it from the raw events, so the analyst must use commands like `rex` or `extract` to parse it.

Exam trap

The trap here is that candidates often assume a missing field is due to permissions or no values, but Splunk's field picker only shows fields that have been explicitly extracted from the data, not all possible fields in the raw text.

How to eliminate wrong answers

Option A is wrong because if the field had no values, it would still appear in the field picker (with a count of zero) if it were extracted; the absence from the picker indicates it was never extracted. Option B is wrong because permission issues would prevent viewing the field's values or the field itself, but the field would still be listed in the field picker if it existed in the data; Splunk's role-based access controls do not hide field names from the picker. Option D is wrong because a typo in the field name would cause the search to not reference it correctly, but the field 'src_ip' would still appear in the field picker if it were extracted from the data; the issue is that it was never extracted.

41
Multi-Selecteasy

A user wants to view the contents of a lookup table file named `users.csv` that is stored in Splunk. Which two commands can be used? (Choose two.)

Select 2 answers
A.`| inputlookup users.csv`
B.`| inputlookup users` (assuming lookup name is users)
C.`| fields users.csv`
D.`| outputlookup users.csv`
E.`| lookup users.csv`
AnswersA, B

Reads the lookup.

Why this answer

Option A is correct because `| inputlookup users.csv` reads the contents of a static lookup table file named `users.csv` directly from Splunk's lookups directory. Option B is correct because `| inputlookup users` references the lookup by its defined name in transforms.conf, which maps to the file `users.csv`; this is the standard way to access a lookup that has been configured as a lookup definition.

Exam trap

The trap here is that candidates confuse `inputlookup` (which reads and displays lookup contents) with `lookup` (which enriches search results) or `outputlookup` (which writes data), and they forget that the lookup name in `inputlookup` can omit the file extension if a lookup definition exists.

42
MCQmedium

Refer to the exhibit. The search is not returning the `app_name` field as expected. The lookup has many entries with wildcard patterns. What is the most likely issue?

A.The lookup definition uses WILDCARD match type, which is incompatible with the lookup command.
B.The lookup command uses OUTPUTNEW, but the event already has an app_name field (possibly null) so the lookup does not overwrite it.
C.The eval statement should not rename src_ip; the lookup should directly use src_ip.
D.The lookup command needs the option max_matches=1 to work with wildcards.
AnswerB

OUTPUTNEW only adds the field if it doesn't exist; if it exists empty, it remains empty.

Why this answer

Option B is correct because the `OUTPUTNEW` clause in the `lookup` command only writes the field if it does not already exist in the event. If the event already contains an `app_name` field (even with a null value), the lookup will not overwrite it, so the expected value from the wildcard lookup is not returned. This is a common pitfall when using lookups with fields that may already be present in the data.

Exam trap

Splunk often tests the subtle difference between `OUTPUT` and `OUTPUTNEW` in lookups, and the trap here is that candidates assume `OUTPUTNEW` will always populate a field, not realizing it refuses to overwrite an existing field even if that field is null or empty.

How to eliminate wrong answers

Option A is wrong because the `WILDCARD` match type is fully compatible with the `lookup` command; it is designed to match patterns like `*` in lookup tables. Option C is wrong because renaming `src_ip` via `eval` is a valid approach to align field names with the lookup key, and the lookup can directly use the renamed field. Option D is wrong because `max_matches=1` controls how many results to return per input, but it does not affect the fundamental issue of `OUTPUTNEW` preventing overwrite of an existing field.

43
MCQhard

When using an automatic lookup in props.conf, which setting controls the order in which multiple automatic lookups apply to the same sourcetype?

A.The order in which they are listed in transforms.conf
B.The numeric suffix after LOOKUP- in props.conf
C.The `batch_index_query` setting
D.The `priority` field in the lookup definition
AnswerB

Rules with lower numeric suffix applied first.

Why this answer

In Splunk, when multiple automatic lookups are defined for the same sourcetype in props.conf, the order of execution is determined by the numeric suffix appended to the LOOKUP- stanza (e.g., LOOKUP-1, LOOKUP-2). Splunk processes these lookups in ascending numeric order, ensuring a predictable sequence. This allows administrators to chain lookups where the output of one lookup can feed into the next.

Exam trap

Splunk often tests the misconception that the order of stanzas in props.conf or the listing order in transforms.conf determines lookup execution order, when in fact it is strictly the numeric suffix after LOOKUP- that controls the sequence.

How to eliminate wrong answers

Option A is wrong because the order in which lookups are listed in transforms.conf does not control execution order; transforms.conf only defines the lookup table structure and fields, not the sequence of application. Option C is wrong because `batch_index_query` is a setting used in transforms.conf to control whether a lookup is performed as a batch query against the index, not a mechanism for ordering multiple lookups. Option D is wrong because there is no `priority` field in the lookup definition; Splunk does not support a priority attribute for ordering lookups—the numeric suffix in props.conf is the sole ordering mechanism.

44
MCQmedium

A user wants to create a field that contains the length of the 'message' field. Which command should they use?

A.rex field=message "(?<msg_length>.*)"
B.eval msg_length=sizeof(message)
C.len(message)
D.eval msg_length=len(message)
AnswerD

Correct way to compute length.

Why this answer

Option D is correct because the `eval` command in Splunk is used to create or modify fields, and the `len()` function returns the character length of a string field. The syntax `eval msg_length=len(message)` creates a new field named `msg_length` containing the length of the `message` field.

Exam trap

Splunk often tests the distinction between functions that must be used within `eval` versus standalone commands, and candidates mistakenly treat `len()` as a standalone command like `rex` or `stats`.

How to eliminate wrong answers

Option A is wrong because `rex` is used for regular expression extraction, not for calculating string length; the regex `(?<msg_length>.*)` would capture the entire message content into a field named `msg_length`, not its length. Option B is wrong because `sizeof()` is not a valid Splunk function; it is a C/C++ operator and would cause an error in Splunk. Option C is wrong because `len(message)` is not a standalone command; it must be used within an `eval` expression to assign the result to a field.

45
Matchingmedium

Match each knowledge object to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Define how to extract fields from raw data

A search that is persisted and can be scheduled

Saved search with visualization or statistics

Saved search that triggers actions on conditions

Collection of panels with saved searches or reports

Why these pairings

These are core knowledge objects in Splunk.

46
Multi-Selectmedium

A security analyst wants to enrich authentication logs with a lookup table containing user department and manager information. Which TWO statements are true about using lookups in Splunk?

Select 2 answers
A.Once a lookup is defined, it cannot be updated.
B.The inputlookup command can be used to load a lookup file into a search.
C.Lookups can only be created from CSV files.
D.Lookups can only match on a single field.
E.Automatic lookups can be configured in props.conf and transforms.conf.
AnswersB, E

inputlookup loads the lookup table into the search results.

Why this answer

Option B is correct because the `inputlookup` command loads the contents of a static lookup file (e.g., CSV, KV store) directly into a search pipeline as events, allowing the analyst to inspect or further process the lookup data. This is a standard Splunk SPL command used for ad-hoc enrichment without requiring a defined lookup definition.

Exam trap

The trap here is that candidates confuse `inputlookup` (which loads the lookup table as events) with the `lookup` command (which enriches existing events), leading them to incorrectly dismiss Option B as incorrect.

47
MCQeasy

A user wants to rename the field 'src_ip' to 'sourceIP' in all search results without modifying the raw data. Which method should they use?

A.Use the eval command to assign src_ip to a new field sourceIP
B.Add an alias in props.conf
C.Use the fields command: | fields src_ip as sourceIP
D.Use the rename command: | rename src_ip as sourceIP
AnswerD

The rename command renames the field in the search results.

Why this answer

The `rename` command is the correct choice because it changes the field name in the search results without altering the underlying raw data. It operates on the field metadata in the search pipeline, allowing you to display 'sourceIP' instead of 'src_ip' for the duration of the search.

Exam trap

The trap here is that candidates often confuse the `rename` command with the `eval` command for creating aliases, or mistakenly think the `fields` command can rename fields, when in fact `fields` only controls field inclusion/exclusion and has no rename capability.

How to eliminate wrong answers

Option A is wrong because `eval` creates a new field (sourceIP) with the value of src_ip, but leaves the original src_ip field present, resulting in duplicate fields rather than a rename. Option B is wrong because `props.conf` is a configuration file used at index time to define field extractions or aliases for the entire index, not for renaming fields in a single search without modifying raw data. Option C is wrong because the `fields` command is used to include or exclude fields from search results, not to rename them; `| fields src_ip as sourceIP` is invalid syntax and would cause an error.

48
MCQmedium

An administrator wants to add a lookup table that maps user IDs to department names. The lookup file is a CSV with columns `user_id` and `department`. To use this lookup in searches, what must be configured?

A.Define the lookup as a time-based lookup.
B.Define the lookup table file in the transforms.conf with a search string.
C.Upload the CSV to Splunk and it automatically becomes available.
D.Define a lookup definition in props.conf and transforms.conf.
AnswerD

Standard configuration.

Why this answer

Option D is correct because to use a static CSV lookup in Splunk, you must first upload the file to the lookups directory, then define a lookup stanza in transforms.conf specifying the filename, and finally create a lookup definition in props.conf (or via the UI) to make it available for search commands like `lookup` or `inputlookup`. This two-step configuration ensures Splunk can locate the file and map the fields correctly.

Exam trap

Splunk often tests the misconception that uploading a CSV file alone makes it usable as a lookup, but the trap here is that you must configure both transforms.conf and a lookup definition (props.conf or UI) to register the lookup for search-time use.

How to eliminate wrong answers

Option A is wrong because time-based lookups are used for external data that changes over time (e.g., a database query with a time range), not for static CSV files; a static CSV does not require time-based configuration. Option B is wrong because transforms.conf defines the lookup table file with a filename and optional field mappings, but it does not use a 'search string' — that is a concept for external lookups or KV store lookups, not for static CSV files. Option C is wrong because simply uploading a CSV to Splunk does not automatically make it available as a lookup; you must explicitly define it in transforms.conf and create a lookup definition in props.conf or the Lookups manager.

49
MCQhard

A Splunk admin notices that a lookup is not matching fields correctly. The lookup file has a header row with field names. The search uses `lookup usernames.csv user_id OUTPUT username`. Some events have `user_id` values that exist in the lookup but no match occurs. What is the most likely cause?

A.The lookup file is missing the header row.
B.The lookup file has leading or trailing spaces in the matching column.
C.The lookup is case-sensitive and the search field has different case.
D.The lookup file has quotes around field values that are not stripped.
AnswerB

Spaces cause exact match failures because the search field doesn't have spaces.

Why this answer

Option B is correct because leading or trailing spaces in the lookup file's matching column prevent exact string matching. When Splunk performs a lookup, it compares the field value from the event with the lookup file value using an exact string match. If the lookup file contains spaces (e.g., '123 ' instead of '123'), the values will not match even though the event's `user_id` appears correct.

This is a common data quality issue in CSV files.

Exam trap

The trap here is that candidates often assume lookup failures are due to case sensitivity or missing headers, but Splunk's default case-insensitive matching and automatic quote stripping make whitespace issues the more subtle and likely cause.

How to eliminate wrong answers

Option A is wrong because the lookup file has a header row with field names, as stated in the question, so missing headers is not the cause. Option C is wrong because Splunk lookups are case-insensitive by default for string fields, so case differences would not prevent a match unless explicitly configured otherwise. Option D is wrong because Splunk automatically strips double quotes from CSV field values during ingestion, so quoted values are not a typical cause of lookup mismatches.

50
MCQmedium

A Splunk admin wants to enrich web server logs with geographic location data based on IP addresses. Which approach should they use?

A.Configure a lookup definition and use lookup command
B.Use rex to extract location from the IP
C.Use an eval command to calculate coordinates
D.Use fields command to add location
AnswerA

lookup command enriches data with external sources like GeoIP.

Why this answer

Option A is correct because Splunk's lookup command, combined with a lookup definition that references a geographic IP-to-location database (such as MaxMind GeoLite2), allows the admin to enrich web server logs with fields like city, country, and coordinates based on the client IP address. This is the standard, efficient approach for IP geolocation enrichment in Splunk, as it leverages pre-built external data without requiring custom parsing or calculations.

Exam trap

The trap here is that candidates often confuse the purpose of the rex command (extraction) with enrichment, or assume that IP addresses contain embedded geographic data that can be parsed with regex, when in reality IP geolocation requires an external mapping database accessed via a lookup.

How to eliminate wrong answers

Option B is wrong because the rex command is used for extracting data from raw event text using regular expressions, not for performing IP geolocation lookups; IP addresses do not inherently contain geographic information in their string representation. Option C is wrong because the eval command can perform calculations and string manipulations but cannot derive geographic coordinates from an IP address without an external lookup or service, as IP geolocation requires a database mapping IP ranges to locations. Option D is wrong because the fields command is used to include or exclude specific fields from search results, not to add new data from external sources; it cannot enrich events with geographic location data.

51
MCQmedium

Refer to the exhibit. The search returns no results from the lookup. What is the most likely issue?

A.The FIELDALIAS syntax is incorrect
B.The lookup table is not defined in transforms.conf
C.The lookup file 'error_codes.csv' does not exist
D.The lookup command references 'error_id' but the alias changed the field to 'error_code'
AnswerD

The alias renames the field, so the lookup should match the new field name.

Why this answer

The correct answer is D because the search uses `lookup error_codes.csv error_id` but the FIELDALIAS in props.conf has renamed the field `error_id` to `error_code`. Since the lookup command references the original field name `error_id`, which no longer exists in the events after alias processing, the lookup cannot match any values and returns no results.

Exam trap

Splunk often tests the interaction between FIELDALIAS and lookup commands, trapping candidates who assume the original field name remains available after aliasing.

How to eliminate wrong answers

Option A is wrong because the FIELDALIAS syntax shown in the exhibit is correct (the format `dest_field = src_field` is valid). Option B is wrong because the lookup is defined in transforms.conf (as shown in the exhibit), and the issue is not about missing definition. Option C is wrong because the error message or exhibit does not indicate a missing file; the lookup file exists but the field name mismatch prevents matches.

52
MCQmedium

A Splunk admin is tasked with creating a dashboard that shows the top 10 error codes from application logs. The logs contain a field 'error_code' which is extracted automatically. The admin writes the search: index=app sourcetype=app_log | top limit=10 error_code. The dashboard shows the correct data, but the admin wants to add a drilldown that passes the selected error code to another search. The admin considers using the 'fields' command to keep only error_code, the 'table' command to display the data, the 'eval' command to create a new field, or the 'stats' command to count. Which change should the admin make to the search to enable the drilldown functionality?

A.Add a stats count by error_code
B.Replace top with fields to keep only error_code
C.Replace top with table error_code, count
D.Add an eval command to create a clickable link
AnswerC

table creates a table that can be used for drilldown.

Why this answer

Option C is correct because the `table` command produces a tabular output that inherently supports drilldown in Splunk dashboards by preserving the raw event data and field values. When you use `table error_code, count`, the dashboard can pass the selected `error_code` value to another search via a token. The original `top` command aggregates data into a statistical summary that does not retain the raw event structure required for standard drilldown behavior.

Exam trap

The trap here is that candidates assume `top` already displays a table and thus supports drilldown, but they miss that `top` produces a statistical summary that does not retain the raw event context required for standard token-based drilldown in Splunk dashboards.

How to eliminate wrong answers

Option A is wrong because `stats count by error_code` produces a statistical summary similar to `top`, which does not preserve the raw event structure needed for drilldown; it also lacks the automatic `count` and `percent` fields that `top` provides, but the core issue is that aggregated results do not support token-based drilldown without additional configuration. Option B is wrong because `fields` only retains specified fields in the search results but does not format the output into a table; drilldown requires a structured display command like `table` to create clickable rows. Option D is wrong because `eval` creates a new field but does not change the output format; a clickable link would require additional dashboard XML or JavaScript, not just an `eval` command in the search string.

53
MCQeasy

An administrator needs to extract a field from log data where the value appears between two square brackets, for example [error_code: 404]. Which search command should they use to create a custom field extraction without modifying the original data?

A.eval
B.fields
C.extract
D.rex
AnswerD

rex extracts fields using regex patterns without modifying the original data.

Why this answer

The `rex` command is used to extract fields using regular expressions without modifying the raw event data. In this scenario, `rex` can parse the pattern `\[error_code: (?<field>\d+)\]` to capture the value between square brackets into a new field, leaving the original log intact.

Exam trap

Splunk often tests the distinction between `extract` (for key-value pairs) and `rex` (for regex-based extraction), and the trap here is that candidates confuse `extract` with general field extraction, not realizing it requires a specific `field=value` format to work.

How to eliminate wrong answers

Option A is wrong because `eval` creates or modifies fields using expressions and functions, but it does not perform regex-based extraction from raw text without additional string parsing. Option B is wrong because `fields` is used to include or exclude fields from search results, not to extract new fields from raw data. Option C is wrong because `extract` is a command for pulling key-value pairs from structured data (e.g., `field=value`), not for regex-based extraction of values between delimiters like square brackets.

54
MCQmedium

A search uses the rex command to extract fields from a log line. The field extraction is working correctly, but some events are missing the extracted field. What is a possible reason?

A.The rex command does not support named groups.
B.The events that are missing the field do not contain the pattern.
C.The regex pattern is too complex.
D.The rex command must be used with eval.
AnswerB

If the pattern is not present, no field is extracted.

Why this answer

The rex command extracts fields by matching a regex pattern against the raw event text. If an event does not contain the substring that matches the pattern, no field is extracted. This is the most direct and common reason for missing fields — the pattern simply isn't present in those events.

Exam trap

Splunk often tests the misconception that rex always extracts a field for every event, when in reality it only extracts if the pattern matches — candidates may overlook the fundamental requirement of pattern presence in the raw data.

How to eliminate wrong answers

Option A is wrong because the rex command fully supports named capturing groups (e.g., (?<field_name>pattern)), which is the standard way to extract fields. Option C is wrong because regex complexity does not cause fields to be missing; it may affect performance or accuracy, but if the pattern matches, the field is extracted. Option D is wrong because rex is a standalone command that does not require eval; it can be used in a pipeline without eval.

55
MCQeasy

Which command is used to import an external CSV file into a Splunk lookup table for the first time?

A.`| lookup`
B.`| inputlookup`
C.`| fields`
D.`| outputlookup`
AnswerD

Creates or appends to a lookup.

Why this answer

The `| outputlookup` command is used to create or overwrite a lookup table file in Splunk from search results. When importing an external CSV file into a Splunk lookup table for the first time, you would first ingest the CSV data (e.g., via `| inputcsv` or by uploading the file), then use `| outputlookup` to write that data into a lookup definition that Splunk can reference.

Exam trap

Splunk often tests the distinction between `| inputlookup` (reading from a lookup) and `| outputlookup` (writing to a lookup), and candidates frequently confuse them because both involve lookup tables but serve opposite purposes.

How to eliminate wrong answers

Option A is wrong because `| lookup` is used to enrich search results by matching fields against an existing lookup table, not to import or create a lookup table. Option B is wrong because `| inputlookup` loads the contents of an existing lookup table into a search, it does not import or create a new lookup table. Option C is wrong because `| fields` is used to include or exclude fields from search results, it has no role in importing or creating lookup tables.

56
MCQhard

A search using `| lookup user_lookup user_id OUTPUT department_name` returns incorrect department names for some users. The lookup file is correct. What could be the issue?

A.The output field name is misspelled in the search.
B.The field `user_id` in the events has trailing spaces.
C.The lookup file has duplicate entries for the same user_id.
D.The lookup definition uses case-insensitive matching.
AnswerB

Trailing spaces cause mismatch.

Why this answer

Option B is correct because trailing spaces in the `user_id` field within the events will cause the lookup to fail to match the corresponding entry in the lookup file, even though the lookup file itself is correct. Splunk performs exact string matching for lookups by default, so any leading or trailing whitespace in the event data will prevent a match, leading to incorrect or missing output. Using the `trim` function or a `| rex` command to strip whitespace before the lookup resolves this issue.

Exam trap

Splunk often tests the subtlety that whitespace in event fields can break lookups, leading candidates to incorrectly blame the lookup file or definition when the actual issue is data cleanliness.

How to eliminate wrong answers

Option A is wrong because the search explicitly specifies `OUTPUT department_name`, and the question states the lookup file is correct; if the output field name were misspelled, the search would either fail with an error or return no output, not incorrect department names. Option C is wrong because duplicate entries for the same `user_id` in the lookup file would cause the lookup to return the first matching row, which could still be correct; the question states the lookup file is correct, implying no duplicates or that duplicates are not the root cause. Option D is wrong because case-insensitive matching would actually help match more values, not cause incorrect results; the default behavior is case-sensitive, and if the lookup definition used case-insensitive matching, it would be less likely to produce mismatches.

57
MCQmedium

A Splunk admin configured a CSV-based lookup to map device IP addresses to location data. The lookup 'devices.csv' has columns 'ip', 'building', 'floor'. In props.conf, they set: `LOOKUP-1 = devices ip OUTPUT building floor`. In transforms.conf: `[devices] filename = devices.csv`. The search over sourcetype 'network_logs' returns events with the 'ip' field, but 'building' and 'floor' are missing. The admin confirms the CSV file exists and has data. What is the most likely issue?

A.The props.conf LOOKUP-1 syntax is incorrect; the definition should be `LOOKUP-1 = devices` only, and the match/output fields should be defined in transforms.conf.
B.The CSV file is too large and the lookup is not being loaded.
C.The 'ip' field is not properly extracted from the sourcetype.
D.The lookup file is not accessible from the search head because it is stored on a different host.
AnswerA

In props.conf, after LOOKUP-<class> = you just specify the lookup name; field mappings go in transforms.conf under that stanza.

Why this answer

Option A is correct because the `LOOKUP-1` definition in `props.conf` incorrectly includes the match and output fields. The correct syntax is `LOOKUP-1 = devices` only, with the match field (`ip`) and output fields (`building`, `floor`) defined in the `transforms.conf` stanza under `[devices]` using `external_type = csv`, `filename = devices.csv`, `match_type = WILDCARD(ip)`, and `default_match = NONE`. The admin's syntax causes Splunk to ignore the lookup configuration entirely, so no fields are added.

Exam trap

The trap here is that candidates confuse the `props.conf` LOOKUP syntax with the `| lookup` SPL command, mistakenly thinking match and output fields can be specified inline in `props.conf`.

How to eliminate wrong answers

Option B is wrong because CSV file size does not prevent a lookup from being loaded; Splunk can handle large lookups, and the issue is a configuration syntax error, not file size. Option C is wrong because the admin confirmed events have the 'ip' field, so extraction is not the problem; the lookup simply fails to execute due to incorrect syntax. Option D is wrong because lookups are resolved from the search head's local file system or a shared location (like a search peer), and the admin confirmed the file exists and has data; the issue is not about accessibility but about misconfiguration.

58
MCQhard

A Splunk admin has a lookup with 10 million rows. The search uses this lookup as a left join and takes too long. Which design change would most improve performance?

A.Filter the main search to only relevant events before the lookup.
B.Use the 'output' clause to limit returned fields.
C.Use an automatic lookup instead of the lookup command.
D.Convert the lookup to a KV store collection.
AnswerA

Reducing the number of events to match drastically improves performance.

Why this answer

Filtering the main search to only relevant events before the lookup reduces the number of rows that need to be matched against the 10-million-row lookup table. This minimizes the computational overhead of the left join operation, as Splunk must compare each event from the main search against every row in the lookup. By narrowing the event set early, you drastically cut the number of comparisons, directly improving search performance.

Exam trap

The trap here is that candidates often assume limiting output fields (Option B) or using an automatic lookup (Option C) will reduce the workload, but they fail to realize that the join itself—not the field count or automation—is the bottleneck, and only reducing the number of input events (Option A) addresses the root cause.

How to eliminate wrong answers

Option B is wrong because using the 'output' clause limits only the fields returned from the lookup, not the number of rows processed; the full 10-million-row lookup still must be scanned and joined. Option C is wrong because an automatic lookup is applied at search time to every event, which would actually increase overhead by performing the join on all events without the ability to filter first. Option D is wrong because converting to a KV store collection does not inherently improve join performance; KV store lookups are optimized for key-value retrieval but still require a full scan or index lookup, and the join operation remains expensive with 10 million rows.

59
MCQeasy

A Splunk user wants to see the list of fields that are defined in a lookup table named 'assets' without running a search. Which command should they use?

A.| inputlookup assets
B.| lookup assets
C.| stats values(*) as * by *
D.| fields assets
AnswerA

inputlookup displays the contents of the lookup table, including field names.

Why this answer

Option C is correct. The 'inputlookup' command can be used to preview the lookup table contents and fields. Option A (lookup) enriches events.

Option B (fields) shows event fields. Option D (stats) computes statistics.

60
MCQeasy

A Splunk user wants to see a list of all fields that are extracted from events of sourcetype 'apache_access'. They need to know which fields are available for use in searches and lookups. Which command should they use to discover all fields automatically extracted by Splunk for that sourcetype?

A.Use the search 'sourcetype=apache_access | fields' to list all fields in a few sample events
B.Use the 'extract' command with no arguments to show all extracted fields
C.Use the 'regex' command with a capturing group to identify fields
D.Use the 'inputlookup' command to display field names
AnswerA

Running a search and using 'fields' command shows all fields present in the results.

Why this answer

Option A is correct because the `| fields` command, when used without arguments, lists all fields present in the search results. By searching `sourcetype=apache_access` and piping to `| fields`, Splunk returns a table of all extracted fields (both default and custom) from the events of that sourcetype, allowing the user to see which fields are available for searches and lookups.

Exam trap

The trap here is that candidates often confuse the `extract` command (which re-extracts fields) with the `fields` command (which lists field names), or they mistakenly think `inputlookup` can display event fields instead of lookup table columns.

How to eliminate wrong answers

Option B is wrong because the `extract` command without arguments does not show all extracted fields; it forces Splunk to re-run field extraction (including regex-based extractions) on the events, but it does not list field names. Option C is wrong because the `regex` command is used to filter events based on a regular expression pattern, not to discover or list all extracted fields. Option D is wrong because `inputlookup` is used to load the contents of a lookup table (CSV or KV store) into search results, not to display fields extracted from events of a specific sourcetype.

61
MCQhard

Refer to the exhibit. The lookup `usertable` has fields: user, role, department. The search returns an error: "Error in 'where' command: Field 'role' is not defined." What is the most likely cause?

A.The `inputlookup` command does not output fields that can be used with `where`.
B.The field 'role' is not a valid field in the lookup because it is a reserved word.
C.The lookup name 'usertable' is misspelled.
D.The lookup file does not have a column named 'role'.
AnswerD

Field undefined.

Why this answer

Option C is correct because the error indicates 'role' field is missing. Most likely the lookup file does not have a column named 'role'. Option A is wrong because 'role' is not a reserved word.

Option B is wrong because misspelling would cause file not found. Option D is wrong because inputlookup does output fields.

62
Multi-Selecthard

Which THREE of the following are true about automatic field extraction in Splunk?

Select 3 answers
A.It can extract fields from structured data like JSON and XML.
B.Custom field extractions are not allowed if auto extraction is enabled.
C.It extracts fields from raw data based on default patterns.
D.Fields extracted automatically are available for searching immediately.
E.Auto extraction cannot be disabled for specific sourcetypes.
AnswersA, C, D

Splunk can parse structured formats automatically.

Why this answer

Option A is correct because Splunk's automatic field extraction (also known as 'auto kv' or 'key-value extraction') can parse structured data formats such as JSON and XML. When Splunk indexes data, it automatically identifies key-value pairs in these formats and extracts them as searchable fields without requiring manual configuration.

Exam trap

Splunk often tests the misconception that automatic field extraction is mutually exclusive with custom extractions, but in reality they can be used together, and auto extraction can be selectively disabled per sourcetype.

63
MCQhard

An administrator notices that an automatic lookup is not being applied to events from a certain sourcetype. The lookup file exists and the configuration in props.conf appears correct. What is a possible reason?

A.Splunk needs to be restarted after adding the automatic lookup
B.The lookup file is stored in the wrong directory but referenced correctly
C.The lookup field is case-sensitive and the data doesn't match
D.The lookup table is defined in transforms.conf incorrectly
AnswerD

Both props.conf and transforms.conf must be configured correctly.

Why this answer

Option D is correct because the automatic lookup is defined in props.conf, but the actual lookup table configuration (including the lookup file name, field mappings, and match type) is specified in transforms.conf. If transforms.conf is missing, has a syntax error, or incorrectly defines the lookup (e.g., wrong filename, mismatched field names, or incorrect stanza name), the automatic lookup will fail silently, even if props.conf appears correct.

Exam trap

The trap here is that candidates assume a correctly written props.conf stanza is sufficient, but Splunk requires a corresponding transforms.conf stanza to define the lookup details, and many test-takers overlook this two-step configuration dependency.

How to eliminate wrong answers

Option A is wrong because Splunk does not require a restart after adding an automatic lookup; it only needs a reload of the deployment (e.g., via 'splunk reload deploy-server' or a UI refresh) or a restart of the search head if the lookup is used in distributed search. Option B is wrong because if the lookup file is stored in the wrong directory (e.g., not in $SPLUNK_HOME/etc/system/lookups or an app's lookups folder), Splunk would not find it at all, and the configuration in props.conf would not appear correct—the administrator would see an error in splunkd.log. Option C is wrong because while case sensitivity can cause lookup mismatches, the question states the lookup file exists and props.conf appears correct; case sensitivity is a data-matching issue, not a configuration error, and would not prevent the lookup from being applied—it would just return no matches.

64
MCQhard

A company uses Splunk to monitor its e-commerce platform. They have a lookup file (user_geo.csv) that maps user_id to city, state, and country. The search `index=ecommerce sourcetype=access_combined | lookup user_geo user_id OUTPUT city, state, country | stats count by country` is used to analyze user locations. Recently, the lookup stopped returning results for many events. The lookup file is updated daily via a script that pulls from an external API. The Splunk administrator checks the lookup definition and finds that the lookup is configured to automatically reload every 24 hours. The last successful load was 23 hours ago. The events still contain the 'user_id' field. Which course of action should the administrator take first?

A.Verify that the events contain the `user_id` field by running `index=ecommerce sourcetype=access_combined | head 10`.
B.Increase the auto-reload interval to 12 hours to ensure more frequent updates.
C.Manually reload the lookup using the `| inputlookup user_geo.csv | outputlookup user_geo.csv` technique or the UI reload button.
D.Modify the search to use `| inputlookup user_geo.csv` instead of the lookup command.
AnswerC

A manual reload forces Splunk to use the latest lookup data, which may have been updated after the last automatic reload.

Why this answer

Option A is correct because a time-based automatic reload may not happen immediately after an update, and manually reloading ensures the lookup is current. Option B is incorrect because the events have the user_id field, so the issue is not missing event stamps. Option C is incorrect because `inputlookup` would not help; it loads the table as events, not for enrichment.

Option D is incorrect because the lookup definition already has auto-reload; the issue is timing.

65
Multi-Selectmedium

Which TWO of the following are best practices for managing lookup files in Splunk?

Select 2 answers
A.Place lookup files in $SPLUNK_HOME/var/run to avoid permission issues.
B.Store the lookup file in $SPLUNK_HOME/etc/system/lookups or an app's lookups directory.
C.Use global lookups to share across all apps.
D.Use Windows-style CRLF line endings for cross-platform compatibility.
E.Always include a header row in CSV lookups.
AnswersB, E

This is the standard location.

Why this answer

Options A and B are correct. Using headers is best practice. Placing in the lookups directory is required.

Option C is wrong because CRLF line endings cause issues. Option D is wrong because $SPLUNK_HOME/etc is not accessible by search peers if distributed. Option E is wrong because app-specific is preferred.

66
MCQmedium

Refer to the exhibit. An analyst runs a search that uses this lookup. The lookup returns multiple matches for some events. Which of the following is true?

A.The default value 'UNKNOWN' is used when there is no match.
B.All matching rows are returned for each event.
C.The lookup file must be sorted.
D.Only the first 5 matching rows are returned.
AnswerD

max_matches=5 limits to 5 matches.

Why this answer

Option D is correct because, by default, Splunk's lookup command returns only the first matching row from the lookup table when multiple matches exist for a single event. This behavior is controlled by the `max_matches` parameter, which defaults to 1, but the question states that the first 5 matching rows are returned, indicating that the `max_matches` setting has been explicitly configured to 5. The lookup command does not automatically return all matches or require a sorted lookup file for this behavior.

Exam trap

The trap here is that candidates often assume Splunk returns all matching rows by default (Option B) or that the lookup file must be sorted (Option C), but the actual default behavior is to return only the first match unless `max_matches` is explicitly increased.

How to eliminate wrong answers

Option A is wrong because the default value 'UNKNOWN' is only used when a lookup field has no match at all, not when there are multiple matches; the `default` parameter in the lookup definition specifies the fallback value for non-matching events. Option B is wrong because Splunk does not return all matching rows by default; the `max_matches` setting limits the number of results, and without explicit configuration, only one match is returned. Option C is wrong because the lookup file does not need to be sorted for the lookup command to work; sorting is only required for certain lookup types like `lookup` with `output` or when using `inputlookup` with a sorted file for performance optimization, but it is not a general requirement for returning multiple matches.

67
MCQhard

A large enterprise uses Splunk across 50 indexers and a search head cluster. An analyst reports that a search using a lookup file 'employees.csv' (500 MB, 10 million rows) is extremely slow. The search is: `index=winlogs sourcetype=Security EventCode=4624 | lookup employees.csv account AS User OUTPUT department, manager`. The lookup currently runs on each event, and the entire CSV is loaded into memory on the search head each time. There are about 5 million matching events per day. The company has a separate Identity Management system that updates employee data hourly. The analyst needs the lookup to be fast and up-to-date. Which solution should the Splunk admin implement?

A.Use a static CSV but compress it and use `lookup` command with `| makeresults` approach.
B.Convert the lookup to a KV store collection and use the lookup as a key-value store.
C.Increase the `max_mem_usage` setting for the lookup in limits.conf.
D.Add a time range early in the search to reduce events.
AnswerB

KV store can handle large datasets efficiently and supports incremental updates.

Why this answer

Option B is correct because converting the large, frequently updated CSV lookup to a KV store collection allows Splunk to index the data and perform key-value lookups efficiently without loading the entire file into memory on the search head. The KV store supports real-time updates from the Identity Management system via REST API, ensuring the lookup remains up-to-date while drastically improving search performance for 5 million daily events across 50 indexers.

Exam trap

The trap here is that candidates often assume increasing memory limits (Option C) or reducing data volume (Option D) will fix performance issues, but they overlook that a KV store is the only solution that both scales for large lookups and supports frequent updates without reloading the entire dataset.

How to eliminate wrong answers

Option A is wrong because compressing a static CSV and using `| makeresults` does not solve the fundamental issue of loading a 500 MB file into memory on the search head; it still requires decompression and full in-memory processing, and the data would not be updated hourly. Option C is wrong because increasing `max_mem_usage` in limits.conf only raises the memory threshold for loading the CSV, which may cause out-of-memory errors or performance degradation on the search head without addressing the scalability or update frequency. Option D is wrong because adding a time range early in the search reduces the event count but does not optimize the lookup itself; the lookup still loads the entire CSV into memory for each search, and the analyst needs the lookup to be fast and up-to-date, not just fewer events.

68
MCQhard

A search returns many events but the 'status' field is missing from some events. The admin wants to set a default value of 'unknown' when the field is absent. Which command should be used?

A.eval status=coalesce(status, "unknown")
B.default status=unknown
C.fillnull value=unknown status
D.replace status with "unknown"
AnswerC

fillnull sets null fields to a specified value.

Why this answer

Option C is correct because the `fillnull` command explicitly sets a default value for specified fields when they are null or missing in search results. In this scenario, `fillnull value=unknown status` replaces all null or absent 'status' field values with 'unknown', ensuring consistency across events. This command is designed specifically for handling missing field values in Splunk, unlike `eval` or `default` which operate differently.

Exam trap

The trap here is that candidates often confuse `fillnull` with `eval coalesce`, but `coalesce` only handles null values within existing fields and cannot create a field that is completely absent from an event, whereas `fillnull` explicitly addresses missing fields.

How to eliminate wrong answers

Option A is wrong because `eval status=coalesce(status, "unknown")` only works if the 'status' field exists but is null; it does not create the field if it is entirely missing from an event, as `coalesce` evaluates existing fields. Option B is wrong because `default status=unknown` is not a valid Splunk command; there is no `default` command in Splunk's search language, and this syntax would cause an error. Option D is wrong because `replace status with "unknown"` is not a valid Splunk command; `replace` is used for substituting values within existing fields, not for setting defaults for missing fields.

69
MCQmedium

A lookup table contains employee names and IDs. An admin wants to add the employee name to events that contain an employee ID field called 'emp_id'. What is the correct lookup command syntax?

A.| lookup employee_lookup employee_name FROM emp_id
B.| lookup employee_lookup emp_id OUTPUTNEW *
C.| lookup employee_lookup emp_id OUTPUT employee_name
D.| lookup employee_lookup emp_id OUTPUTNEW employee_name
AnswerD

OUTPUTNEW prevents overwriting existing employee_name field.

Why this answer

Option D is correct because the `OUTPUTNEW` clause in a lookup command only adds fields from the lookup table that are not already present in the event, preventing overwriting of existing field values. In this scenario, the admin wants to add the employee name to events that already contain an `emp_id` field, so `OUTPUTNEW employee_name` ensures the name is appended without modifying any existing data.

Exam trap

Splunk often tests the distinction between `OUTPUT` and `OUTPUTNEW` in lookup commands, and the trap here is that candidates may choose `OUTPUT` (option C) thinking it simply adds the field, without realizing it will overwrite any existing field with the same name.

How to eliminate wrong answers

Option A is wrong because the syntax `employee_name FROM emp_id` is invalid; the correct order is `lookup <lookup-table> <lookup-field> OUTPUT <output-field>`, and `FROM` is not a valid clause in the lookup command. Option B is wrong because `OUTPUTNEW *` would attempt to output all fields from the lookup table as new fields, but it would not specifically target the employee name and could introduce unnecessary or conflicting fields. Option C is wrong because `OUTPUT employee_name` would overwrite any existing `employee_name` field in the event, which is not the intended behavior; the admin wants to add the name only if it does not already exist.

70
MCQeasy

Refer to the exhibit. An analyst runs the search and expects the `country`, `region`, and `city` fields to appear in the results, but they do not. What is the most likely reason?

A.The fields in the lookup must have different names than the output fields.
B.The clientip field in the events has a different data type than the lookup.
C.The lookup command should use OUTPUTNEW instead of OUTPUT.
D.The lookup file is not defined as a lookup in Splunk's lookups definitions.
AnswerD

Lookup files must be uploaded and defined in Settings > Lookups before they can be used.

Why this answer

Option D is correct because Splunk requires a lookup file to be explicitly defined in Settings > Lookups > Lookup definitions before it can be used in a search. Without this definition, the `lookup` command will not find the file, and no fields will be added to the results, even if the file exists on disk.

Exam trap

Splunk often tests the distinction between uploading a lookup file and defining it as a lookup, tricking candidates into thinking the file's mere presence is sufficient for the `lookup` command to work.

How to eliminate wrong answers

Option A is wrong because lookup field names and output field names can be the same; the `lookup` command maps input fields from events to lookup fields and outputs new fields, and there is no requirement for them to be different. Option B is wrong because data type mismatches (e.g., string vs integer) would cause the lookup to fail to match, but the question states the fields do not appear at all, not that they appear with incorrect values; a type mismatch would typically result in no matches, not missing output fields. Option C is wrong because `OUTPUT` overwrites existing fields, while `OUTPUTNEW` only adds fields if they don't already exist; neither would cause the fields to be absent if the lookup were properly defined and matched.

71
MCQeasy

Refer to the exhibit. An administrator runs this command. What is the effect?

A.Imports the file into Splunk as a data input.
B.Creates a lookup definition named my_lookup using the file my_lookup.csv.
C.Creates a lookup definition and automatically populates it with the file contents.
D.Adds the file to the monitor directory.
AnswerB

Adds the lookup table definition.

Why this answer

The `| inputlookup my_lookup.csv` command in Splunk reads the contents of a CSV file and creates a lookup definition named `my_lookup` that can be used in searches. This is the standard behavior for importing a static CSV file as a lookup table, not for configuring a continuous data input or monitoring.

Exam trap

The trap here is that candidates confuse `inputlookup` with data input commands like `add data` or `monitor`, thinking it creates a continuous data source rather than a one-time lookup of a static file.

How to eliminate wrong answers

Option A is wrong because `inputlookup` does not import a file as a data input; data inputs are configured via `inputs.conf` or the Settings menu, not through search commands. Option C is wrong because `inputlookup` does not automatically populate a lookup definition with file contents; it only reads the file for use in the current search, and the lookup definition must already exist or be created separately. Option D is wrong because `inputlookup` does not add files to a monitor directory; monitoring is configured via file system inputs, not search commands.

72
Multi-Selecthard

A lookup definition in transforms.conf includes the following settings: `filename = employees.csv`, `max_matches = 0`, `case_sensitive_match = false`. Which three statements about this lookup are true? (Choose three.)

Select 3 answers
A.The lookup will fail if there are duplicate keys.
B.The lookup will only return the first match for each event.
C.The lookup matching is case-insensitive.
D.The lookup can be used with the `| lookup` command.
E.The lookup will return all matching rows for each input event.
AnswersC, D, E

case_sensitive_match=false.

Why this answer

Option C is correct because the `case_sensitive_match = false` setting in transforms.conf explicitly makes the lookup matching case-insensitive. This means that when the lookup is performed, the comparison between the event field value and the lookup key ignores differences in uppercase and lowercase characters.

Exam trap

The trap here is that candidates often confuse `max_matches = 0` with 'no matches' or 'first match only', when in fact it means 'unlimited matches', and they may also overlook that `case_sensitive_match = false` explicitly enables case-insensitive matching.

73
MCQmedium

A search needs to replace a field value 'user' with 'full name' using a CSV lookup that has 'username' and 'fullname' columns. Which lookup command is correct?

A.| lookup users.csv username AS user OUTPUTNEW fullname
B.| lookup users.csv user AS username OUTPUT fullname
C.| lookup users.csv username AS user OUTPUT fullname AS full_name
D.| lookup users.csv user AS fullname OUTPUT username
AnswerC

Correctly matches user to username and outputs fullname as full_name.

Why this answer

Option C is correct because the `lookup` command syntax requires specifying the lookup file, then the field name in the lookup file (`username`) mapped to the field in the event (`user`) using `AS`, and then `OUTPUT` to bring the `fullname` field into the event as a new field named `full_name`. This matches the requirement to replace the field value 'user' with 'full name' by using the CSV lookup's `fullname` column.

Exam trap

Splunk often tests the exact syntax of the `lookup` command, specifically the order of fields in the `AS` mapping and the difference between `OUTPUT` and `OUTPUTNEW`, causing candidates to confuse which side of `AS` represents the lookup file column versus the event field.

How to eliminate wrong answers

Option A is wrong because `OUTPUTNEW` would only create the `fullname` field if it doesn't already exist, but the requirement is to replace the field value 'user' with 'full name', and it also incorrectly maps `username` AS `user` (the lookup field should be on the left of AS). Option B is wrong because it maps `user` AS `username`, which reverses the mapping (the event field should be on the right of AS), and it uses `OUTPUT` without renaming the output field, so it would output `fullname` as-is, not as `full_name`. Option D is wrong because it maps `user` AS `fullname`, which incorrectly treats the event field 'user' as the lookup field 'fullname', and then outputs `username`, which does not match the requirement to replace 'user' with 'full name'.

74
Drag & Dropmedium

Drag and drop the steps to create a simple Splunk search that returns results for a specific error in the last 24 hours into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Basic search workflow involves selecting the app, entering the search with time range, executing, and reviewing results.

75
MCQeasy

Refer to the exhibit. What would happen if the eval statement was changed to: eval priority = case(error = "critical", 1, error = "warning", 2, true(), 3)?

A.The search returns no results
B.The search returns the same results as before
C.The search only returns priority 3
D.The search returns a syntax error
AnswerB

true() functions similarly to 1=1 as a catch-all.

Why this answer

Option B is correct because the `case` function in Splunk evaluates conditions in order and returns the first match. The original `case` statement used `error=="critical"` and `error=="warning"`, while the new one uses `error = "critical"` and `error = "warning"`. In Splunk, the `=` operator is equivalent to `==` for string comparison in `eval` expressions, so both forms produce identical results.

The `true()` clause at the end acts as a default, assigning priority 3 to any other value, which matches the original behavior.

Exam trap

The trap here is that candidates may think `=` is an assignment operator in `eval` (like in some programming languages) and expect a syntax error, but in Splunk's `eval` context, `=` is a valid comparison operator equivalent to `==`.

How to eliminate wrong answers

Option A is wrong because the search will return results; the `case` function is valid and will assign priorities based on the conditions. Option C is wrong because the `case` function evaluates conditions sequentially, so errors with value 'critical' get priority 1 and 'warning' get priority 2, not just priority 3. Option D is wrong because `=` is a valid comparison operator in Splunk's `eval` context, equivalent to `==`, so no syntax error occurs.

Page 1 of 2 · 124 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Fields Lookups questions.