SPLK-1002 · topic practice

Using Fields and Lookups practice questions

Practise Splunk Core Certified User SPLK-1002 Using Fields and Lookups practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.

Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.

Reviewed byJohnson Ajibi· MSc IT Security
20 questionsDomain: Using Fields and Lookups

What the exam tests

What to know about Using Fields and Lookups

Using Fields and Lookups questions test whether you can apply the concept in context, not just recognise a definition.

How the topic appears in realistic exam-style scenarios.

Which detail in the question changes the correct answer.

How to eliminate plausible but wrong options.

How to connect the question back to the wider exam objective.

Watch out for

Common Using Fields and Lookups exam traps

  • Answering from memory before reading the full scenario.
  • Missing a constraint such as cost, availability, security, scope or command context.
  • Choosing a broad answer when the question asks for the most specific fix.
  • Ignoring why the wrong options are tempting.

Practice set

Using Fields and Lookups questions

20 questions · select your answer, then reveal the explanation

A security analyst is investigating a suspicious IP address. They want to find all events related to that IP. Which field should they use in a search?

A Splunk admin wants to enrich web server logs with geographic location data based on IP addresses. Which approach should they use?

A search returns many events but the 'status' field is missing from some events. The admin wants to set a default value of 'unknown' when the field is absent. Which command should be used?

A user wants to see only events where the 'action' field has a value of 'success'. Which search syntax should they use?

A lookup table contains employee names and IDs. An admin wants to add the employee name to events that contain an employee ID field called 'emp_id'. What is the correct lookup command syntax?

A search includes a lookup that returns multiple values per event. The admin wants to see each matched value as a separate event. Which command should be used after the lookup?

In Splunk, which of the following is true about fields?

An admin notices that a lookup is not returning any results for some events even though matching keys exist. What is the most likely cause?

A search uses a lookup that returns a field 'priority'. The admin wants to use the lookup only for events where the 'source' is 'firewall'. Which command should be used?

Which of the following best describes the purpose of the 'fields' command in a search?

A user wants to create a field that contains the length of the 'message' field. Which command should they use?

Which TWO of the following are valid ways to extract fields in Splunk? (Choose two.)

Which THREE of the following are true about lookups in Splunk? (Choose three.)

A Splunk admin wants to handle missing field values in a search. Which TWO commands can replace null values with a specified default? (Choose two.)

Which THREE statements about the 'rex' command are correct? (Choose three.)

Refer to the exhibit. The lookup file app_versions.csv contains fields 'app' and 'version'. The version values are strings like '1.5', '2.0', '2.1'. What is the issue with this search?

Exhibit

Refer to the exhibit.

| inputlookup app_versions.csv
| where version > "2.0"
| table app version

Refer to the exhibit. A user gets this error when running a search with a GeoIP lookup. What is the most likely cause?

Exhibit

Refer to the exhibit.

Error message:
"Lookup table 'geoip' not found in 'lookups' directory."

Refer to the exhibit. What will this search return?

Exhibit

Refer to the exhibit.

index=web sourcetype=access_combined | top 5 uri

A company has a Splunk environment indexing firewall logs from multiple vendors. The security team wants to enrich events with a threat intelligence lookup that contains IP addresses and threat categories. The lookup file 'threat_intel.csv' has fields: ip, category, confidence. The admin runs the following search: index=firewall | lookup threat_intel.csv src_ip OUTPUT category confidence. However, the lookup returns no results, even though there are matching IPs. The admin verifies that the lookup file is uploaded and the field names are correct. What is the most likely cause? The admin suspects that the lookup is case-sensitive, but the IP addresses in the logs are lowercase and the lookup has uppercase. The admin also considers that the lookup might be configured with the wrong field order, or that the lookup command is missing the OUTPUTNEW option, or that the index name is wrong. Which course of action should the admin take first to resolve the issue?

A Splunk admin is tasked with creating a dashboard that shows the top 10 error codes from application logs. The logs contain a field 'error_code' which is extracted automatically. The admin writes the search: index=app sourcetype=app_log | top limit=10 error_code. The dashboard shows the correct data, but the admin wants to add a drilldown that passes the selected error code to another search. The admin considers using the 'fields' command to keep only error_code, the 'table' command to display the data, the 'eval' command to create a new field, or the 'stats' command to count. Which change should the admin make to the search to enable the drilldown functionality?

Free account

Track your progress over time

Create a free account to save your results and see which topics improve across sessions.

Focused Using Fields and Lookups sessions

Start a Using Fields and Lookups only practice session

Every question in these sessions is drawn from the Using Fields and Lookups domain — nothing else.

Related practice questions

Related SPLK-1002 topic practice pages

Move into related areas when this topic feels solid.

Frequently asked questions

What does the SPLK-1002 exam test about Using Fields and Lookups?
Using Fields and Lookups questions test whether you can apply the concept in context, not just recognise a definition.
How should I use these practice questions?
Select your answer before revealing the explanation. Then read why each option is right or wrong — this active recall approach builds retention far faster than re-reading notes.
Can I practise just Using Fields and Lookups questions in a focused session?
Yes — the session launcher on this page draws every question from the Using Fields and Lookups domain. Use a 10-question session first to gauge your baseline, then move to 20 or 30 once the weak spots are clear.
Where can I practise other SPLK-1002 topics?
Use the topic links above to move to related areas, or go back to the SPLK-1002 question bank to see all topics.
Are these real exam questions or dumps?
These are original practice questions written to test the same concepts the SPLK-1002 exam covers. They are not copied from any real exam or dump site.