CCNA Fields Lookups Questions

49 of 124 questions · Page 2/2 · Fields Lookups topic · Answers revealed

76
MCQhard

A search uses a lookup to enrich results with a field 'status'. After the lookup, some events have empty status values. The lookup file contains a mapping for all possible status codes. What is a likely reason for empty values?

A.The events are not indexed.
B.The lookup command uses output_fields incorrectly.
C.The lookup file has duplicate keys.
D.The lookup field name in the event does not match the lookup key.
AnswerD

Mismatch prevents matching, resulting in no enrichment.

Why this answer

Option D is correct because the lookup command matches a field in the event (the lookup key) against a field in the lookup file. If the field name in the event does not exactly match the lookup key field name in the lookup file, no match occurs, and the output field (e.g., 'status') remains empty. This is a common misconfiguration when the lookup key field is misspelled or has a different case.

Exam trap

Splunk often tests the distinction between a lookup that returns no match (empty values) versus a lookup that fails due to syntax or data issues, and candidates mistakenly blame duplicate keys or output_fields instead of recognizing a key field mismatch.

How to eliminate wrong answers

Option A is wrong because events that are not indexed would not appear in search results at all, so they cannot have empty status values after a lookup. Option B is wrong because output_fields controls which fields from the lookup file are added to events; incorrect usage would cause missing fields entirely, not empty values for a field that exists. Option C is wrong because duplicate keys in a lookup file cause the lookup to return only the first matching value, not empty values; empty values occur only when no match is found.

77
MCQmedium

Refer to the exhibit. The lookup file app_versions.csv contains fields 'app' and 'version'. The version values are strings like '1.5', '2.0', '2.1'. What is the issue with this search?

A.Version comparison will not be numeric, giving incorrect results
B.where cannot be used with string comparisons
C.inputlookup is not a valid command
D.table should be replaced with fields
AnswerA

String comparison fails for version numbers.

Why this answer

The issue is that the `where` clause performs lexicographic (string) comparison on the `version` field because the values in the lookup file are stored as strings (e.g., '1.5', '2.0', '2.1'). Since string comparison evaluates character by character, a version like '2.0' would be considered greater than '10.0' because '2' > '1' as a character, leading to incorrect filtering results. To compare versions numerically, you must convert the field to a numeric type using functions like `tonumber()` or parse the version string into comparable components.

Exam trap

Splunk often tests the misconception that `where` can automatically handle numeric comparisons for fields that look like numbers but are stored as strings, leading candidates to overlook the need for explicit type conversion.

How to eliminate wrong answers

Option B is wrong because `where` can be used with string comparisons; the command supports both string and numeric comparisons, so the issue is not about the command's capability but the data type. Option C is wrong because `inputlookup` is a valid command that loads a lookup file into the search, and it is correctly used here to retrieve the CSV data. Option D is wrong because `table` is a valid command that returns results in a tabular format, and replacing it with `fields` would not resolve the version comparison issue; the problem lies in the comparison logic, not the output command.

78
MCQmedium

A lookup definition is configured with a very large CSV file. The lookup performs slowly. Which change would most improve performance?

A.Use inputlookup instead of lookup.
B.Ensure the lookup field in the file is the first column.
C.Add an index to the lookup file.
D.Convert the CSV to a TSV.
AnswerB

Optimizes search within the file.

Why this answer

Splunk's lookup command performs a linear scan of the CSV file to find matching values. By placing the lookup field as the first column, Splunk can use an internal optimization that reduces the search space, as it can quickly locate the matching row without scanning the entire file. This is the most effective single change for improving performance with a large CSV-based lookup.

Exam trap

The trap here is that candidates often confuse database indexing with file-based lookups, assuming an 'index' can be added to a CSV, or they mistakenly believe changing the file format (TSV vs CSV) affects search speed, when the real optimization is about the column order and the resulting search algorithm efficiency.

How to eliminate wrong answers

Option A is wrong because inputlookup is a search command that loads the entire lookup file into memory as a dataset, which does not improve performance for field-based lookups and can actually be slower for large files. Option C is wrong because CSV files do not support indexing; indexes are a database concept and Splunk does not create indexes on static lookup files. Option D is wrong because converting CSV to TSV does not change the underlying linear scan behavior; the delimiter has no impact on lookup performance.

79
MCQeasy

A search uses `| fields - _raw, _time` and then later needs `_time` again. What will happen?

A.The `_time` field is no longer available for later commands.
B.The command removes all fields except _raw and _time.
C.The command will cause an error because you cannot remove internal fields.
D.The `_time` field will still be available but empty.
AnswerA

The fields command with '-' removes those fields from subsequent processing.

Why this answer

The `| fields - _raw, _time` command explicitly removes the `_time` field from the search results. Once a field is removed using the `fields` command with a minus sign, it is no longer available for any subsequent commands in the search pipeline. This is because the `fields` command operates on the current working set of events, stripping out the specified fields entirely, and later commands cannot reference a field that has been removed.

Exam trap

The trap here is that candidates often assume internal fields like `_time` cannot be removed or that removing them only empties the value, when in fact the `fields` command with a minus sign completely deletes the field from the event data.

How to eliminate wrong answers

Option B is wrong because the `fields` command with a minus sign removes the listed fields, not keeps them; the command removes `_raw` and `_time`, leaving all other fields intact. Option C is wrong because Splunk allows removal of internal fields like `_raw` and `_time` using the `fields` command; no error is generated. Option D is wrong because the `_time` field is not merely emptied but is completely removed from the event data, so it is not available at all.

80
Multi-Selectmedium

A Splunk user wants to create a lookup that maps a field 'status_code' to a human-readable 'status_description'. The lookup data is small and changes infrequently. Which TWO methods are appropriate for creating this lookup? (Choose two.)

Select 2 answers
A.Create a lookup definition file (transforms.conf) with the mapping inline
B.Create a KV Store collection to store the mapping
C.Use the 'lookup' command in a search to create a temporary mapping each time
D.Use a calculated field in props.conf to derive the description from the code
E.Save a CSV file with the mapping and define a lookup from that file
AnswersA, E

A lookup definition file can include inline data or reference a file; it's a standard method.

Why this answer

Option A is correct because a lookup definition file (transforms.conf) can contain an inline mapping using the `filename` or `external_type` settings, but more specifically for small static data, you can define a lookup with a `table` or `static` definition that directly maps values without an external file. This is efficient for small, infrequently changing data as it avoids file management overhead. Option E is correct because saving a CSV file with the mapping and defining a lookup from that file is the standard method for small, static lookup data in Splunk, using the `lookup` command or automatic lookup to enrich events.

Exam trap

The trap here is that candidates often confuse KV Store (designed for dynamic, writable data) with static CSV lookups, or think the `lookup` command can create mappings on the fly, when in fact it only applies pre-defined lookup definitions from configuration files.

81
Matchingmedium

Match each search mode to its behavior.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Optimizes for speed, minimal fields and events

Adjusts automatically based on search complexity

Returns all fields and events for maximum detail

Why these pairings

Search modes affect performance and output.

82
Multi-Selectmedium

Which of the following are valid reasons to use a lookup in Splunk? (Choose two.)

Select 2 answers
A.To enrich events with additional information from an external source.
B.To create new fields using the eval command.
C.To alias field names permanently.
D.To change the timestamp format of events.
E.To filter events based on a field that matches a list of values.
AnswersA, E

Primary use.

Why this answer

Option A is correct because a lookup in Splunk enriches events by adding fields from an external source, such as a CSV file, KV store, or scripted lookup, based on a matching field in the event. This allows you to bring in contextual data (e.g., user names, device details) without modifying the original raw data.

Exam trap

The trap here is that candidates often confuse the `lookup` command with other field-manipulation commands like `eval` or `fieldalias`, leading them to select options that describe those commands instead of the specific purpose of a lookup.

83
MCQeasy

An analyst wants to see all field names and their types from a search result. Which command can be used?

A.fieldsummary
B.fields *
C.eval
D.rex
AnswerA

Correct command to display field names and types.

Why this answer

The `fieldsummary` command returns a table listing all field names, their types (e.g., number, string), and basic statistics (count, distinct count) from the search results. This directly meets the analyst's requirement to see field names and their types without manually inspecting raw events.

Exam trap

The trap here is that candidates confuse `fields *` (which shows field names only) with `fieldsummary` (which shows names and types), or they think `eval` or `rex` can be used to list field metadata, when in fact those commands are for field creation and extraction, not introspection.

How to eliminate wrong answers

Option B (`fields *`) is wrong because it only retains or displays all fields in the search results, but does not show their data types or summary statistics. Option C (`eval`) is wrong because it creates new fields or modifies existing ones using expressions, not for listing field names and types. Option D (`rex`) is wrong because it extracts fields using regular expressions from raw event data, not for displaying existing field metadata.

84
MCQhard

A Splunk administrator notices that a lookup definition named 'assets' is not returning any results in searches even though the CSV file exists and has data. The lookup definition uses the filename 'assets.csv' and the matching field 'ip' matches the event field 'dest_ip'. The search query 'index=main | lookup assets ip AS dest_ip OUTPUT asset_name' returns no asset_name values. What is the most likely cause?

A.The lookup command syntax is incorrect; it should be 'lookup assets dest_ip AS ip'
B.The lookup command is missing the 'name' field; it should be 'lookup assets name AS ip'
C.The user may not have permissions to access the lookup definition; check the knowledge object permissions
D.The command should use 'inputlookup' instead of 'lookup' to load the CSV data
AnswerC

If the user does not have read access to the lookup definition, the lookup will silently return no results.

Why this answer

Option C is correct because the lookup definition exists and the CSV file has data, but the search returns no results, indicating a permissions issue. In Splunk, knowledge objects like lookups have permissions that restrict which roles can use them; if the user's role lacks read access to the 'assets' lookup definition, the lookup command will silently return no results. The syntax and command structure are otherwise correct, so the most likely cause is that the lookup definition's permissions are not set to allow the user's role.

Exam trap

The trap here is that candidates often assume the issue is a syntax error or incorrect field mapping, but Splunk tests the understanding that lookup permissions can silently block results even when the CSV file and definition are correctly configured.

How to eliminate wrong answers

Option A is wrong because the lookup command syntax 'lookup assets ip AS dest_ip' is correct: it maps the lookup field 'ip' to the event field 'dest_ip', which matches the definition. Option B is wrong because there is no 'name' field in the lookup definition; the matching field is 'ip', and the lookup command does not require a 'name' argument. Option D is wrong because 'inputlookup' is used to load the entire CSV as a dataset, not to perform field-based matching in a search; the 'lookup' command is the correct command for enriching events with lookup data.

85
MCQhard

A lookup table has been defined with `max_matches = 5`. What does this setting do?

A.It limits the number of fields output from the lookup.
B.It creates a maximum of 5 lookup files.
C.It limits the lookup to return at most 5 results per event.
D.It limits the lookup to match only 5 events.
AnswerC

Controls matches per event.

Why this answer

Option C is correct because the `max_matches` parameter in a Splunk lookup definition controls how many matching rows from the lookup table are appended to a single event. When set to 5, Splunk will return at most 5 lookup results for each event that matches the lookup criteria, preventing excessive field duplication.

Exam trap

The trap here is confusing `max_matches` (per-event row limit) with `max_offset` or `max` parameters that limit the total number of events or results in a search, leading candidates to incorrectly choose Option D.

How to eliminate wrong answers

Option A is wrong because `max_matches` does not limit the number of fields output; it limits the number of rows (results) returned per event, while field selection is controlled by the lookup definition's field mapping or the `fields` parameter. Option B is wrong because `max_matches` has nothing to do with creating lookup files; it is a runtime behavior setting for an existing lookup table, not a file creation limit. Option D is wrong because `max_matches` limits results per event, not the total number of events that can be matched; the lookup will still attempt to match all events in the search results.

86
MCQeasy

A user wants to create a lookup table to enrich events with customer information. Which file format is NOT supported for a classic CSV-based lookup?

A.TSV
B.XLSX
C.CSV
AnswerB

XLSX is not supported; must be converted to CSV.

Why this answer

Classic CSV-based lookups in Splunk only support delimited text files such as CSV (comma-separated) and TSV (tab-separated). XLSX is a binary Excel format that is not supported for classic CSV-based lookups; it requires a different lookup type (e.g., a KV store lookup or a scripted lookup) or must be converted to CSV first.

Exam trap

Splunk often tests the distinction between file formats that are 'text-based delimited' (CSV, TSV) versus 'binary or structured' (XLSX, JSON) to see if candidates confuse the classic CSV-based lookup with other lookup types that support JSON or Excel via KV store or scripted lookups.

How to eliminate wrong answers

Option A is wrong because TSV (tab-separated values) is a valid delimited text format that Splunk can parse as a classic CSV-based lookup when the delimiter is set to tab. Option C is wrong because CSV (comma-separated values) is the primary format for classic CSV-based lookups. Option D is wrong because JSON is not a delimited text format; it is a structured data format that Splunk supports via KV store lookups or as a lookup table file only when using the JSON lookup type, not the classic CSV-based lookup.

87
MCQeasy

A security analyst wants to count the number of unique users who have logged in over the past week. Which field-based command should they use?

A.index=main sourcetype=login | stats sum(user)
B.index=main sourcetype=login | dedup user | stats count
C.index=main sourcetype=login | stats count by user
D.index=main sourcetype=login | top user
AnswerB

Dedup removes duplicate users, then stats count gives the number of unique users.

Why this answer

Option B is correct because it first uses `dedup user` to remove duplicate user values, leaving only unique users, and then `stats count` to count the remaining events, which effectively counts the number of unique users who logged in over the past week. This approach ensures each user is counted only once, meeting the requirement for a unique count.

Exam trap

The trap here is that candidates often confuse `stats count by user` (which groups by user) with counting unique users, or they incorrectly use `sum` on non-numeric fields, leading them to choose options that do not produce a single unique count.

How to eliminate wrong answers

Option A is wrong because `sum(user)` attempts to sum string values, which is invalid and will not produce a count of unique users; it would cause an error or return 0. Option C is wrong because `stats count by user` counts the number of events per user, not the number of unique users; it returns a table of users with their event counts, not a single total. Option D is wrong because `top user` lists the most frequent users based on event count, not the count of unique users; it focuses on frequency rather than uniqueness.

88
MCQmedium

Refer to the exhibit. A user runs a search with `| lookup excel_lookup product_id OUTPUT sales_rep`. For a product_id that exists in the CSV but with a different case (e.g., "ABC123" vs "abc123"), what will be the value of the `sales_rep` field after the lookup?

A.The correct sales_rep from the lookup.
B.An error because case mismatch.
C."N/A" because the case does not match and default_match is set.
D.An empty string because no match.
AnswerC

default_match is used.

Why this answer

Option B is correct because case_sensitive_match=true means the cases must match exactly. Since there is no exact match, the lookup will use the default_match value, which is "N/A". Option A is wrong because case differs.

Option C wrong because empty string is not used. Option D wrong because no error occurs.

89
MCQmedium

A large enterprise uses Splunk to monitor network traffic from thousands of devices. The events contain a field 'dest_ip' that you want to enrich with a company-specific asset owner and department. The asset data is stored in an SQL database that is updated daily. The Splunk administrator has set up a DB Connect app to query the database. However, the performance of the search is very slow when using dbquery to lookup asset information for each event. The team needs to improve performance while still maintaining daily updates. Which approach should the team take?

A.Create a search-time field extraction that parses the dest_ip to derive owner and department
B.Increase the number of indexers to parallelize the lookup operations
C.Use DB Connect to export the asset data to a CSV file or KV Store collection on a daily schedule, then use a CSV or KV Store lookup in searches
D.Use the 'lookup' command with a KV Store lookup that is populated from the database in real time
AnswerC

Pre-loading the data into a faster lookup source (CSV or KV Store) eliminates real-time database queries and speeds up searches.

Why this answer

Option C is correct because exporting the asset data from the SQL database to a CSV file or KV Store collection on a daily schedule leverages the DB Connect app for bulk data transfer rather than per-event queries. This approach avoids the overhead of repeated dbquery calls during search time, which cause performance degradation. Using a CSV or KV Store lookup then provides fast, indexed lookups that can be refreshed daily to maintain data freshness.

Exam trap

The trap here is that candidates often assume real-time database connectivity (Option D) is always better for freshness, but they overlook the severe performance penalty of per-event database queries in high-volume environments.

How to eliminate wrong answers

Option A is wrong because search-time field extraction cannot derive owner and department from dest_ip without an external data source; it would require complex regex or pattern matching that is not feasible for arbitrary IP-to-asset mapping. Option B is wrong because increasing the number of indexers does not parallelize lookup operations; indexers handle indexing and search distribution, but the bottleneck here is the per-event dbquery call to the SQL database, which is not parallelized by adding indexers. Option D is wrong because using a KV Store lookup populated in real time from the database would still require a live connection and per-event queries, defeating the performance improvement; KV Store is designed for static or periodically refreshed data, not real-time database synchronization.

90
MCQmedium

A Splunk administrator needs to create a field alias that renames the field 'src_ip' to 'source_ip' for events in the index 'network'. The administrator has created the field alias in the Field Aliases settings in the UI. However, when searching index=network, the new field 'source_ip' does not appear in the events. The search still shows 'src_ip'. What could be the reason?

A.Field aliases only work with lookups, not with standard fields
B.The field 'src_ip' is not extracted automatically; an explicit field extraction is required first
C.The alias should be created using the 'rename' command in the search, not via the UI
D.The field alias is configured for a specific sourcetype that does not match the events in the index
AnswerD

The alias must be applied to the correct sourcetype or to all sourcetypes.

Why this answer

Option D is correct because field aliases in Splunk are configured per sourcetype. If the alias is applied to a sourcetype that does not match the events in the 'network' index, the alias will not take effect, and the original field name 'src_ip' will continue to appear. The administrator must ensure the alias is assigned to the correct sourcetype(s) present in the index.

Exam trap

The trap here is that candidates assume field aliases apply globally to all events in an index, when in reality they are scoped to specific sourcetypes, and misconfiguring the sourcetype match is a frequent cause of the alias not appearing.

How to eliminate wrong answers

Option A is wrong because field aliases work on any extracted field, not just lookup fields; they rename fields regardless of how the field was created. Option B is wrong because 'src_ip' is already present in the events (as shown by the search), so it is already extracted; no explicit extraction is needed for an alias to work. Option C is wrong because the 'rename' command only renames fields for the duration of a single search, whereas a field alias created in the UI persists across all searches and is the correct method for permanent renaming.

91
Multi-Selecthard

Which THREE of the following are capabilities of the rex command?

Select 3 answers
A.Perform case-insensitive extraction by default.
B.Extract fields using regex named groups.
C.Replace text using sed expressions.
D.Set a default value for a field.
E.Extract fields from a specific field using field parameter.
AnswersB, C, E

The primary use of rex.

Why this answer

Option B is correct because the `rex` command can extract fields using regex named groups, where the group name becomes the field name and the matched value becomes the field value. This is a core capability of `rex` for field extraction in Splunk.

Exam trap

Splunk often tests the distinction between `rex` and `sed` commands, where candidates confuse `rex`'s regex extraction with `sed`'s text replacement, or assume `rex` can set default values like `eval` does.

92
Multi-Selecthard

A Splunk administrator is configuring a lookup to enrich firewall logs with a static CSV file containing allowed IP ranges. Which TWO statements about lookup configuration are correct?

Select 2 answers
A.A KV Store lookup is required for static tables.
B.The lookup definition must include the fields to match on from the event data.
C.The CSV file can be uploaded through the Lookups menu in Settings.
D.The lookup is defined in macros.conf.
E.The CSV file must be placed in an absolute path on the search head.
AnswersB, C

Matching fields are required to relate the lookup table to events.

Why this answer

Option B is correct because a lookup definition must specify the fields from the event data that will be used to match against the lookup table. This is configured in the 'Lookup definition' settings where you define the input fields (event fields) and output fields (lookup fields). Without this match configuration, Splunk cannot correlate the event data with the CSV file contents.

Exam trap

The trap here is that candidates often confuse the purpose of KV Store lookups (dynamic, editable) with static CSV lookups, or mistakenly think lookups are defined in macros.conf instead of transforms.conf.

93
MCQmedium

A user creates a CSV lookup file 'users.csv' with columns 'userid' and 'full_name'. A lookup definition is set up. The search `index=auth | lookup users.csv userid AS user OUTPUT full_name` returns no results for 'full_name' even though there are matching userids. What is the most likely cause?

A.The search returns no events for the userid field.
B.The lookup command should be placed before the index search.
C.The lookup name 'users.csv' should be the lookup definition name, not the filename.
D.The 'AS user' should be 'AS userid'.
AnswerC

The lookup command uses the definition name as configured in Splunk, typically without extension.

Why this answer

The `lookup` command in Splunk requires the lookup definition name, not the filename, when referencing a lookup table. Even though the CSV file is named 'users.csv', the lookup definition created in Settings > Lookups defines the logical name used in searches. Using the filename directly causes Splunk to fail to resolve the lookup, resulting in no 'full_name' values being returned.

Exam trap

Splunk often tests the distinction between the lookup filename and the lookup definition name, trapping candidates who assume the filename can be used directly in the `lookup` command.

How to eliminate wrong answers

Option A is wrong because the search returns events from index=auth, and matching userids exist; the issue is that the lookup itself fails to execute, not that events are missing. Option B is wrong because the lookup command can be placed anywhere in the search pipeline after the index search; order is not the cause of the missing field. Option D is wrong because 'AS user' renames the userid field to 'user' for matching, which is syntactically correct; the problem is the lookup name, not the field alias.

94
MCQmedium

An admin notices that a lookup is not returning any results for some events even though matching keys exist. What is the most likely cause?

A.The lookup field name is different from the event field name
B.The lookup is defined with the wrong field order
C.The time range of the search is too narrow
D.The lookup is case-sensitive and the key values have different cases
AnswerD

Lookups are case-sensitive by default.

Why this answer

Option D is correct because lookups in Splunk are case-sensitive by default. If the lookup file contains key values in a different case (e.g., 'ABC') than the event field values (e.g., 'abc'), the lookup will not match, even though the underlying data is logically equivalent. This is a common cause of lookup failures when the data sources have inconsistent casing.

Exam trap

The trap here is that candidates often assume lookups are case-insensitive by default, similar to SQL JOINs, and overlook Splunk's case-sensitive string matching behavior, leading them to incorrectly choose options like field name mismatch or time range issues.

How to eliminate wrong answers

Option A is wrong because if the lookup field name differs from the event field name, the admin would typically see no results at all, not just for some events; the lookup definition explicitly maps fields, so a mismatch would be a configuration error, not a partial failure. Option B is wrong because field order in a lookup definition only matters for output fields or when using automatic lookup with multiple fields; it does not affect whether matching keys return results—the lookup still matches on the specified key fields regardless of order. Option C is wrong because the time range of a search does not affect lookup matching; lookups are static file-based or KV-store-based and do not depend on time, so a narrow time range would simply return fewer events, not cause lookup failures for events that do exist.

95
MCQhard

A search includes a lookup that returns multiple matches for a single event. The analyst wants to keep only the first match. Which lookup command option should they use?

A.update=t
B.local=t
C.max_matches=1
D.append=t
AnswerC

max_matches=1 limits the lookup to return only the first matching row.

Why this answer

Option B is correct because the max_matches option controls how many results to keep; setting it to 1 keeps the first match. Option A is wrong because local is for time-based lookup. Option C is wrong because append is for adding fields from external.

Option D is wrong because update is for outputlookup.

96
Multi-Selectmedium

An analyst needs to create a lookup file. Which TWO methods can be used?

Select 2 answers
A.Use inputlookup command.
B.Use rex to parse and then outputcsv.
C.Upload a CSV file via the Lookups UI.
D.Use eval to create a table and then export.
E.Use outputlookup command.
AnswersC, E

Direct upload via UI creates a lookup definition.

Why this answer

Option C is correct because the Lookups UI in Splunk Web provides a direct method to upload a CSV file and create a lookup table file (static lookup) without needing to write any commands. Option E is correct because the `outputlookup` command writes the results of a search directly into a lookup file, creating or appending to a lookup definition. Both are standard methods for creating lookup files in Splunk.

Exam trap

Splunk often tests the distinction between commands that create lookup files (`outputlookup`) versus commands that only export data as CSV (`outputcsv`), trapping candidates who assume any CSV export creates a usable lookup.

97
MCQmedium

A security analyst needs to enrich firewall logs with user identity information stored in a CSV file. The CSV file contains fields: user_id, username, department, location. The firewall logs contain a field 'src_user_id'. Which Splunk feature should be used to add the username and department fields to the firewall events based on matching src_user_id to user_id?

A.Create a field alias that maps src_user_id to username and department
B.Define a lookup table from the CSV file and use the input lookup command or automatic lookup to add username and department
C.Use the eval command with an if statement to populate username and department from src_user_id
D.Create a calculated field that computes username and department based on src_user_id
AnswerB

Lookups are designed to enrich events with data from external sources like CSV files based on matching field values.

Why this answer

Option B is correct because a lookup table defined from the CSV file allows Splunk to map the 'src_user_id' field in firewall events to the 'user_id' field in the CSV, then add the 'username' and 'department' fields from the lookup. This is the standard method for enriching events with external data using the 'inputlookup' command or an automatic lookup configuration.

Exam trap

The trap here is confusing field aliases or calculated fields with lookups, leading candidates to choose options that cannot perform external data enrichment based on a key match.

How to eliminate wrong answers

Option A is wrong because a field alias only creates an alternate name for an existing field; it cannot add new fields or map values from an external source. Option C is wrong because the 'eval' command with an 'if' statement would require hardcoding every possible user_id-to-username/department mapping, which is impractical for large datasets and not designed for CSV-based enrichment. Option D is wrong because calculated fields are derived from existing event fields using eval expressions, not from external lookup files, and cannot perform key-based matching against a separate data source.

98
MCQmedium

A Splunk user needs to perform a lookup that matches events based on a field 'userid' to a lookup table that contains 'userid', 'full_name', and 'email'. The lookup table is a CSV file named 'users.csv' located in the default lookup directory. The user runs the search: index=main | lookup users.csv userid OUTPUT full_name, email. However, the search returns an error that the lookup table 'users.csv' was not found. What is the most likely reason for this error?

A.The CSV file must have a .csv extension, but the command should omit the extension
B.The fields 'full_name' and 'email' are not present in the CSV file
C.The CSV file is not in the correct format; it should have a header row
D.The lookup command must reference the lookup definition name, not the CSV file name directly
AnswerD

Splunk requires a lookup definition to be created that points to the CSV file; then you use the definition name in the lookup command.

Why this answer

The `lookup` command in Splunk requires a lookup definition name, not the raw CSV filename. The lookup definition is created in Splunk's configuration (e.g., transforms.conf) and maps a logical name to the actual CSV file. Using the filename directly bypasses this definition, causing Splunk to report the file as not found because it searches for a definition, not the file path.

Exam trap

The trap here is that candidates assume the `lookup` command can directly use a CSV filename, confusing it with the `inputlookup` command which does accept filenames, while `lookup` strictly requires a definition name.

How to eliminate wrong answers

Option A is wrong because the `lookup` command does not require omitting the extension; the issue is that the command expects a definition name, not a filename. Option B is wrong because the error message explicitly states the table was not found, not that fields are missing; field presence is irrelevant to this error. Option C is wrong because the CSV format (header row) is not the cause; Splunk can parse CSV files with headers, but the error occurs before any parsing, as the lookup definition is missing.

99
Multi-Selectmedium

Which TWO of the following are valid ways to create a field alias in Splunk?

Select 2 answers
A.Use the INDEXED_EXTRACTIONS setting with an alias directive
B.Define FIELDALIAS-<class> in props.conf
C.Use eval to assign a field to another field name
D.Use the rename command in a saved search
E.Use the aliases command in a search
AnswersA, B

Some indexed extractions allow aliasing.

Why this answer

Option A is correct because the INDEXED_EXTRACTIONS setting in props.conf can include an alias directive (e.g., `alias::<field>=<alias>`) to define field aliases directly at index time. This allows you to map an extracted field to an alternative name without modifying the raw data or using search-time operations.

Exam trap

Splunk often tests the distinction between transient search-time operations (like `eval` or `rename`) and persistent configuration-based aliases (props.conf), leading candidates to mistakenly think that a search command can create a permanent field alias.

100
MCQeasy

Refer to the exhibit. What will this search return?

A.A time chart of URI counts
B.A statistical summary of URI lengths
C.The 5 most common URI values
D.A list of all URI values
AnswerC

top 5 limits to top 5.

Why this answer

The `top` command in SPL returns the most common values of a field, sorted by count in descending order, limited by default to 10 results. Since the search specifies `limit=5`, it returns the 5 most frequent URI values, making option C correct.

Exam trap

The trap here is that candidates confuse `top` with `timechart` or `stats`, expecting a time-series or statistical summary instead of a simple frequency count of field values.

How to eliminate wrong answers

Option A is wrong because `top` does not produce a time-based chart; it returns a table of counts, not a timechart. Option B is wrong because `top` counts occurrences of field values, not lengths or statistical summaries of lengths. Option D is wrong because `top` with `limit=5` restricts output to the top 5 values, not a list of all values.

101
MCQeasy

A user runs a search for errors but notices that the `source` field is not appearing in the selected fields list. What is the most likely reason?

A.The field `source` is a default field and is always present.
B.The search returned no results.
C.The user may have closed the field sidebar.
D.The `source` field is only available if explicitly extracted.
AnswerA

source is a default field.

Why this answer

Option A is correct because the `source` field is a default metadata field in Splunk, automatically extracted at index time for every event. It is always present in the selected fields list when events are returned, regardless of the search query or data source type.

Exam trap

The trap here is that candidates may think `source` is an optional or extracted field, but Splunk automatically includes it as a default metadata field for every event, so it is always available in the selected fields list when events exist.

How to eliminate wrong answers

Option B is wrong because if the search returned no results, the selected fields list would be empty or show no fields, not specifically omit the `source` field. Option C is wrong because closing the field sidebar hides the entire fields panel, not just the `source` field from the selected fields list. Option D is wrong because the `source` field is not explicitly extracted; it is a default metadata field that Splunk automatically populates from the file or input path at index time.

102
Multi-Selectmedium

Which three of the following statements about lookup tables and their usage in Splunk are correct? (Choose three.)

Select 3 answers
.A lookup table can be defined as a CSV file stored in the lookups directory of an app
.The `| inputlookup` command can be used to return the contents of a lookup table as search results
.Lookups can be configured to automatically enrich events during search time using the `lookup` command
.Lookup table files must always have a .csv extension and cannot be in other formats like .kvstore
.The `| outputlookup` command is used to append data to an existing lookup file without any limitations
.Lookups can only match on a single field; using multiple fields requires creating separate lookups

Why this answer

The first three statements are correct. Lookup tables can be defined as CSV files stored in the lookups directory of an app, which is a standard method for creating static lookups. The `| inputlookup` command retrieves and returns the contents of a lookup table as search results, allowing you to inspect or use the data.

Lookups can be configured to automatically enrich events during search time using the `lookup` command, which matches fields in events against the lookup table to add additional fields.

Exam trap

Splunk often tests the misconception that lookups are restricted to single-field matching or that outputlookup has no limitations, leading candidates to overlook the flexibility of multi-field lookups and the constraints of outputlookup.

103
MCQhard

Refer to the exhibit. A user gets this error when running a search with a GeoIP lookup. What is the most likely cause?

A.The user does not have permission to use lookups
B.The lookup command syntax is incorrect
C.The lookup file has not been uploaded to Splunk
D.The field name in the lookup does not match the event field
AnswerC

The file is missing from the expected location.

Why this answer

The error message indicates that Splunk cannot find the lookup table referenced in the search. Option C is correct because the GeoIP lookup file must be uploaded to Splunk (as a CSV or KMZ file) and defined as a lookup table in the lookups.conf configuration before it can be used in a search. Without the file being present in the system, the lookup command fails with a 'lookup table not found' error.

Exam trap

Splunk often tests the distinction between a missing lookup file (Option C) and a syntax error (Option B), because candidates may assume the command is wrong when the actual issue is that the lookup table resource is not available.

How to eliminate wrong answers

Option A is wrong because permission errors typically produce a different error message (e.g., 'You do not have permission to run this search' or 'No permission for lookup'), not a 'lookup table not found' error. Option B is wrong because the lookup command syntax (e.g., `| lookup geoip clientip`) is correct; the error is about the missing lookup file, not the command structure. Option D is wrong because a field name mismatch would cause the lookup to return no results or a 'field not found' warning, not a 'lookup table not found' error.

104
MCQhard

A company has a Splunk environment indexing firewall logs from multiple vendors. The security team wants to enrich events with a threat intelligence lookup that contains IP addresses and threat categories. The lookup file 'threat_intel.csv' has fields: ip, category, confidence. The admin runs the following search: index=firewall | lookup threat_intel.csv src_ip OUTPUT category confidence. However, the lookup returns no results, even though there are matching IPs. The admin verifies that the lookup file is uploaded and the field names are correct. What is the most likely cause? The admin suspects that the lookup is case-sensitive, but the IP addresses in the logs are lowercase and the lookup has uppercase. The admin also considers that the lookup might be configured with the wrong field order, or that the lookup command is missing the OUTPUTNEW option, or that the index name is wrong. Which course of action should the admin take first to resolve the issue?

A.Modify the lookup definition to set case_sensitive_match = false
B.Swap the field order in the lookup command
C.Change OUTPUT to OUTPUTNEW to avoid overwriting fields
D.Change the index to default
AnswerA

This allows case-insensitive matching.

Why this answer

The most likely cause is that the lookup is case-sensitive by default, and the IP addresses in the logs are lowercase while the lookup file contains uppercase IPs. Setting `case_sensitive_match = false` in the lookup definition forces Splunk to ignore case when matching, which resolves the issue without altering the data or command structure.

Exam trap

The trap here is that candidates often assume the lookup command syntax is wrong (e.g., field order or OUTPUT vs OUTPUTNEW) when the real issue is a subtle default behavior like case sensitivity, which Splunk explicitly tests in the SPLK-1002 exam.

How to eliminate wrong answers

Option B is wrong because the field order in the lookup command (`threat_intel.csv src_ip OUTPUT category confidence`) is correct — the first field after the filename is the lookup field to match, and `src_ip` matches the field in the events. Option C is wrong because `OUTPUTNEW` only prevents overwriting existing fields, but the problem is that no matches are found at all, not that fields are being overwritten. Option D is wrong because the index name is irrelevant — the search explicitly specifies `index=firewall`, and the lookup failure is not related to the index selection.

105
MCQeasy

A security analyst is investigating a suspicious IP address. They want to find all events related to that IP. Which field should they use in a search?

A.source_ip
B.dest_ip
C.host
D.user
AnswerA

source_ip typically contains the originating IP address.

Why this answer

The correct answer is A: source_ip. In Splunk, when investigating a suspicious IP address, the source_ip field identifies the origin of network traffic. By searching for source_ip=<suspicious IP>, you retrieve all events where that IP was the initiator of a connection, which is the most direct way to find events related to that IP in network logs.

Exam trap

The trap here is that candidates often confuse source_ip with dest_ip, assuming any IP field will work, but Splunk requires field-specific searches to accurately capture the role of the IP in the event.

How to eliminate wrong answers

Option B (dest_ip) is wrong because it only captures events where the IP is the destination of traffic, missing events where the IP originated the connection. Option C (host) is wrong because host refers to the machine or device that generated the event, not the IP address itself, and may not even contain the IP in question. Option D (user) is wrong because user identifies a username or account, not an IP address, and would not return any events related to the IP.

106
MCQeasy

In Splunk, which of the following is true about fields?

A.Fields are extracted at search time from raw data
B.Fields must be manually defined before indexing
C.Fields are only available after using the fields command
D.All fields are predefined by Splunk
AnswerA

Splunk extracts fields during search.

Why this answer

In Splunk, fields are extracted at search time from raw data using the Search Processing Language (SPL) and the default field extraction rules. This allows Splunk to dynamically identify and index field-value pairs without requiring predefined schemas, enabling flexible ad-hoc analysis of unstructured or semi-structured data.

Exam trap

The trap here is that candidates often confuse search-time field extraction with index-time field extraction, mistakenly believing fields must be defined before indexing (Option B) or that Splunk predefines all fields (Option D), when in reality Splunk's flexibility comes from extracting fields at search time from raw data.

How to eliminate wrong answers

Option B is wrong because Splunk does not require fields to be manually defined before indexing; it uses automatic key-value extraction and can also leverage custom field extractions via transforms.conf or props.conf. Option C is wrong because fields are available automatically after indexing and can be used in searches without the fields command; the fields command is used to include or exclude specific fields from search results. Option D is wrong because not all fields are predefined by Splunk; many fields are extracted dynamically from the raw data, and users can define custom fields using field extractions or lookups.

107
MCQeasy

A user wants to see only events where the 'action' field has a value of 'success'. Which search syntax should they use?

A.where action=success
B.action=success
C.lookup action=success
D.search action=success
AnswerB

Direct filtering in the search bar.

Why this answer

Option B is correct because in Splunk's Search Processing Language (SPL), a field-value pair like `action=success` is the most direct and efficient way to filter events where the field 'action' has the value 'success'. This syntax leverages Splunk's index-time field extraction and inverted index lookup, making it faster than using the `where` or `search` commands for simple equality filters.

Exam trap

Splunk often tests the misconception that the `where` command is required for all filtering, but in Splunk, a bare field-value pair is the standard and most performant way to filter on exact field values, while `where` is reserved for complex expressions or comparisons.

How to eliminate wrong answers

Option A is wrong because `where action=success` is invalid syntax; the `where` command requires an expression (e.g., `where action="success"`) and does not accept a bare field-value pair. Option C is wrong because `lookup action=success` is not a valid search command; the `lookup` command is used to enrich events with external data from a lookup table, not to filter on existing fields. Option D is wrong because `search action=success` is redundant and less efficient; while it works, the implicit search prefix already applies, so the explicit `search` command is unnecessary and can be slower in large datasets.

108
Multi-Selecthard

Which TWO of the following are true about KV Store lookups in Splunk?

Select 2 answers
A.KV Store lookups automatically support time-based retrieval
B.KV Store lookups are stored as CSV files on the search head
C.KV Store lookups can be used in automatic lookups
D.KV Store lookups can be updated via REST API
E.KV Store lookups only support exact match lookups
AnswersC, D

They can be configured as automatic lookups in props.conf.

Why this answer

Option C is correct because KV Store lookups can be configured as automatic lookups in Splunk, meaning they can be applied at search time without requiring an explicit lookup command. This is done by defining the KV Store collection as a lookup in transforms.conf and then associating it with a source type or host in props.conf, just like CSV or external lookups.

Exam trap

Splunk often tests the misconception that KV Store lookups are file-based like CSV lookups, but the trap here is that candidates may confuse KV Store storage with CSV files or assume time-based retrieval is automatic, when in fact KV Store is a database-backed lookup that requires explicit time handling and supports wildcard matching.

109
MCQeasy

A security analyst runs a search that returns many fields, most of which are not needed. Which command should be used to remove all fields except 'src_ip', 'dest_ip', and 'action'?

A.| rename src_ip as src, dest_ip as dest, action as act
B.| fields + src_ip, dest_ip, action
C.| fields - src_ip, dest_ip, action
D.| table src_ip, dest_ip, action
AnswerB

The '+' prefix keeps only listed fields.

Why this answer

The `fields` command with the `+` prefix explicitly keeps only the listed fields and removes all others from the search results. This is the correct way to retain only `src_ip`, `dest_ip`, and `action` while discarding the rest.

Exam trap

Splunk often tests the distinction between `fields +` (keep only) and `fields -` (remove), and candidates frequently confuse the two, especially when the question asks to 'remove all fields except' a specific set.

How to eliminate wrong answers

Option A is wrong because `rename` only changes field names, it does not remove any fields. Option C is wrong because `fields -` removes the listed fields, keeping all others, which is the opposite of what is needed. Option D is wrong because `table` creates a results table with only those fields, but it also transforms the output into a tabular format and can affect event counts or statistical commands, whereas `fields` simply filters fields without changing the data structure.

110
Multi-Selecteasy

Which TWO methods can be used to create a new field in a search?

Select 2 answers
A.search new_field=*
B.timechart count by date
C.rex field=raw "(?<new_field>pattern)"
D.stats count by host
E.eval new_field = some_expression
AnswersC, E

Rex can extract and create new fields from existing ones.

Why this answer

Option C is correct because the `rex` command uses a regular expression to extract a named group (`(?<new_field>pattern)`) from the `_raw` event data, dynamically creating the field `new_field` with the matched value. This is a standard method for field extraction in Splunk searches.

Exam trap

Splunk often tests the misconception that filtering commands like `search` or aggregation commands like `stats` can create fields, when in reality only extraction (`rex`) or evaluation (`eval`) commands generate new fields from existing data.

111
MCQeasy

Refer to the exhibit. An automatic lookup is configured with WILDCARD match type. What kind of matching does this enable?

A.Matching based on prefixes or suffixes using wildcards.
B.Exact match only.
C.Case-insensitive match.
D.Matching only on the first N characters.
AnswerA

WILDCARD enables pattern matching.

Why this answer

Option A is correct because an automatic lookup configured with WILDCARD match type enables matching based on prefixes or suffixes using wildcards. This allows the lookup to match field values that contain a wildcard character (e.g., * or ?) to represent variable parts of the string, enabling flexible pattern matching beyond exact equality.

Exam trap

The trap here is that candidates often confuse WILDCARD match type with case-insensitive matching or assume it only supports prefix matching, when in fact it supports both prefix and suffix wildcards and is distinct from case sensitivity settings.

How to eliminate wrong answers

Option B is wrong because exact match only is the behavior of the EXACT match type, not WILDCARD. Option C is wrong because case-insensitive matching is controlled by the case_sensitive_match setting in the lookup definition, not by the match type. Option D is wrong because matching only on the first N characters is a form of prefix matching that can be achieved with WILDCARD using a trailing wildcard, but it is not the exclusive behavior; WILDCARD supports both prefix and suffix matching via wildcards at either end of the pattern.

112
Multi-Selectmedium

Which THREE of the following are valid options for the lookup command?

Select 3 answers
A.local=<bool>
B.rename <field> as <alias>
C.join <field>
D.output <newfield>
E.update=<bool>
AnswersA, D, E

local determines whether lookup runs on local search head.

Why this answer

Option A is correct because the `local=<bool>` parameter in the lookup command specifies whether the lookup should be performed on the search head (local) or distributed across indexers. When set to `true`, the lookup file is read from the search head; when `false`, it is distributed to all indexers, which is critical for performance in large environments.

Exam trap

Splunk often tests the distinction between command-level options (like `lookup` parameters) and standalone commands (like `rename` or `join`), tricking candidates into confusing a command's sub-options with entirely separate SPL commands.

113
MCQhard

A time-based lookup is configured with `max_offset_secs = 3600`. An event has a timestamp 100 seconds after the lookup time value. Will the lookup match?

A.Yes, but only if min_offset_secs is also set.
B.No, because the event timestamp is later than the lookup time.
C.No, because the event timestamp must be before the lookup time.
D.Yes, because the offset is within the allowed range.
AnswerD

The offset of 100 seconds is less than 3600, so it matches.

Why this answer

Option D is correct because the time-based lookup is configured with `max_offset_secs = 3600`, which defines the maximum allowed offset (in seconds) between the event timestamp and the lookup time. Since the event timestamp is 100 seconds after the lookup time, the offset is 100 seconds, which is well within the 3600-second window. No `min_offset_secs` is required for this match to succeed, as the default minimum offset is 0 (meaning the event timestamp can be equal to or later than the lookup time).

Exam trap

Splunk often tests the misconception that time-based lookups only work when the event timestamp is before the lookup time, but in reality, the `max_offset_secs` parameter allows events with timestamps after the lookup time, as long as the offset is within the configured range.

How to eliminate wrong answers

Option A is wrong because `min_offset_secs` is not required for a match when the event timestamp is later than the lookup time; the default minimum offset is 0, so the match works without it. Option B is wrong because the event timestamp being later than the lookup time does not prevent a match; the `max_offset_secs` parameter specifically allows events with timestamps after the lookup time, as long as the offset is within the configured range. Option C is wrong because the event timestamp does not need to be before the lookup time; time-based lookups support both forward and backward offsets depending on the configuration of `min_offset_secs` and `max_offset_secs`.

114
MCQmedium

A user wants to see the values of all fields in an event, including fields that are not automatically extracted. Which search command should be used?

A.`| rex`
B.`| fields *`
C.`| spath`
D.`| table *`
AnswerD

Lists all fields and values.

Why this answer

The `| table *` command displays all fields in each event, including those not automatically extracted, by listing every field in a tabular format. This is because the asterisk wildcard in `table` includes all fields present in the search results, regardless of whether they are extracted by default or through custom parsing. In contrast, `| fields *` only retains fields that are already known to the search index, not necessarily showing all raw event data.

Exam trap

Splunk often tests the misconception that `| fields *` shows all fields, but it actually restricts output to only extracted fields, whereas `| table *` includes all fields including those from raw event data.

How to eliminate wrong answers

Option A is wrong because `| rex` is used to extract fields using regular expressions from raw event data, not to display all fields. Option B is wrong because `| fields *` removes any fields not already extracted or indexed, effectively hiding non-automatically extracted fields. Option C is wrong because `| spath` is designed to extract fields from structured data formats like JSON or XML, not to display all fields in an event.

115
Multi-Selecthard

A Splunk admin wants to handle missing field values in a search. Which TWO commands can replace null values with a specified default? (Choose two.)

Select 2 answers
A.coalesce
B.eval
C.convert
D.fillnull
E.default
AnswersA, D

coalesce returns the first non-null value.

Why this answer

The `fillnull` command explicitly replaces null field values with a specified default string (or '0' if no default is given). The `coalesce` function, used within an `eval` command, returns the first non-null value from a list of fields or expressions, effectively replacing nulls with a fallback default. Both commands directly address missing field values by substituting a specified default.

Exam trap

Splunk often tests the distinction between commands that modify data (like `fillnull`) and functions that operate within `eval` (like `coalesce`), and the trap here is that candidates may incorrectly select `eval` alone or the non-existent `default` command, thinking they handle nulls without needing a specific function.

116
MCQmedium

A security analyst is investigating a breach and needs to extract the 'user_id' field from raw log events. The logs contain both structured and unstructured data. The analyst uses the following search: `index=security sourcetype=syslog | rex field=_raw "user_id=(?<user_id>\w+)" | stats count by user_id`. However, some events do not contain the 'user_id' pattern, but they have a 'username' field extracted by a default extraction. The analyst wants to create a unified field 'user_id' that includes values from both. Which approach should the analyst take?

A.Rename the 'username' field to 'user_id' using `rename username as user_id`
B.Use `eval user_id=mvindex(split(user_id+" "+username," "),0)` to combine the two fields
C.Use `fillnull value=N/A user_id` to handle missing values
D.Use `eval user_id=coalesce(user_id, username)` to take the first non-null value
AnswerD

`coalesce` returns the first non-null value among the fields, effectively unifying the field.

Why this answer

Option C is correct because using `coalesce` allows combining fields from different extractions into a single field. Option A is wrong because renaming only works if the field already exists, and the regex extraction may not always produce a value. Option B is wrong because the `eval` function with logical OR does not handle missing fields correctly.

Option D is wrong because `fillnull` only replaces null values, not combine fields.

117
MCQeasy

Which command is used to export the current search results to a CSV file that can be used as a lookup table?

A.outputcsv
B.outputlookup
C.inputlookup
D.lookup
AnswerB

Correct command to create a lookup table from results.

Why this answer

The `outputlookup` command is used to export the current search results to a CSV file that can be used as a lookup table. It writes the results to a lookup definition in Splunk, making the data available for subsequent searches via `inputlookup` or automatic lookup configurations.

Exam trap

The trap here is that candidates confuse `outputcsv` with `outputlookup`, assuming any CSV export can serve as a lookup, but only `outputlookup` properly registers the file as a lookup table in Splunk's lookup definitions.

How to eliminate wrong answers

Option A is wrong because `outputcsv` exports search results to a CSV file, but that file is not automatically registered as a lookup table; it is simply a static file in the Splunk search results directory. Option C is wrong because `inputlookup` is used to read data from an existing lookup table into a search, not to export results. Option D is wrong because `lookup` is used to perform a lookup against a defined lookup table during a search, not to export or create a lookup file.

118
Multi-Selecthard

Which TWO commands can be used to filter events based on field values?

Select 2 answers
A.where
B.lookup
C.fields
D.eval
E.search
AnswersA, E

Where filters events based on boolean expressions.

Why this answer

The `where` command is used to filter events based on field values using Boolean expressions. It evaluates each event against a condition and retains only those events where the condition is true, making it a direct filtering command for field values.

Exam trap

Splunk often tests the distinction between `where` and `eval` because candidates mistakenly think `eval` can filter events, but `eval` only creates or modifies fields without removing any events.

119
MCQhard

An organization is ingesting web proxy logs and wants to enrich them with a lookup table that maps internal IP addresses to employee names. The lookup table is updated weekly. Which configuration ensures the lookup is automatically applied to all searches without manual intervention, while also minimizing performance impact?

A.Create a macro that includes the 'lookup' command and share it with users.
B.Upload the lookup file each week and manually run a search to add the field.
C.Use the 'lookup' command in every search to fetch the employee name.
D.Configure an automatic lookup in props.conf and transforms.conf.
AnswerD

Automatic lookups are applied at search time to all matching events without manual effort.

Why this answer

Option D is correct because configuring an automatic lookup in props.conf and transforms.conf allows the lookup to be applied at search time without requiring users to manually invoke the lookup command. This configuration minimizes performance impact by leveraging indexed field values and caching, and it ensures the lookup is automatically applied to all searches as soon as the lookup file is updated weekly.

Exam trap

The trap here is that candidates often confuse automatic lookups with the 'lookup' command or macros, thinking that any automated approach requires user action, when in fact props.conf/transforms.conf provide true automatic application without manual intervention.

How to eliminate wrong answers

Option A is wrong because a macro still requires users to explicitly invoke it in their searches, which does not achieve automatic application without manual intervention. Option B is wrong because manually uploading the lookup file and running a search each week is not automated and introduces significant manual overhead and performance impact. Option C is wrong because using the 'lookup' command in every search requires users to remember to include it, which is not automatic and can degrade performance if the lookup is large or used frequently without caching.

120
Multi-Selectmedium

Which three of the following are valid methods for creating or using field extractions in Splunk? (Choose three.)

Select 3 answers
.Using the Field Extractor (FX) interactive tool to generate regex-based extractions
.Manually writing a regular expression in props.conf and transforms.conf
.Using the `| extract` command in a search to perform key-value pair extraction
.Using the `| fields` command to extract new fields from raw data
.Configuring automatic field extraction via the `fieldaliases.conf` file
.Using the `| rename` command to create new fields by renaming existing ones

Why this answer

The Field Extractor (FX) interactive tool is a valid method because it provides a GUI to generate regex-based extractions by highlighting sample data. Manually writing regular expressions in `props.conf` and `transforms.conf` is the standard way to define custom field extractions at the index-time or search-time level. The `| extract` command is valid because it performs key-value pair extraction on search results, typically for data formatted as `key=value` pairs, without requiring configuration files.

Exam trap

Splunk often tests the distinction between commands that manipulate existing fields (`| fields`, `| rename`) versus commands that create new fields from raw data (`| extract`, `| rex`), leading candidates to mistakenly select `| fields` or `| rename` as valid extraction methods.

121
MCQmedium

An analyst wants to compute the average response time for each server from web server logs. The field `response_time` is a string like '120ms'. What is the correct way to convert and compute?

A.eval response_time=response_time + "0" | stats avg(response_time) by server
B.eval response_num=replace(response_time, "ms", "") | eval response_num=response_num*1 | stats avg(response_num) by server
C.eval response_num=replace(response_time, "ms", "") | stats avg(response_num) by server
D.eval avg_response=avg(response_time)
AnswerB

Replace removes 'ms', and multiplying by 1 converts to numeric, then avg works.

Why this answer

Option B is correct because it uses eval to convert the string to a number by removing 'ms' and multiplying by 1 (or using tonumber). Option A is wrong because it adds literal 'ms' to numeric values. Option C is wrong because replace doesn't convert to numeric.

Option D is wrong because it adds the unit back.

122
MCQmedium

An organization needs to enrich authentication events with employee department information stored in a MySQL database. The data is updated frequently. Which lookup type is most appropriate?

A.External lookup
B.Geographic lookup
C.CSV file lookup
D.KV store lookup
AnswerD

KV store can connect to external databases and update in near-real-time.

Why this answer

A KV Store lookup is the most appropriate choice because it supports real-time, bidirectional updates via the REST API, allowing the organization to frequently modify employee department data in a MySQL database and have those changes reflected immediately in Splunk. Unlike static CSV lookups or external lookups that require manual reloading or script execution, the KV Store provides a scalable, dynamic lookup mechanism that integrates seamlessly with Splunk's search-time field enrichment.

Exam trap

The trap here is that candidates often choose CSV file lookup (Option C) because it is the simplest and most familiar lookup type, failing to recognize that it cannot handle frequently updated data without manual reloading or scheduled scripts, whereas the KV Store is designed for dynamic, real-time updates.

How to eliminate wrong answers

Option A is wrong because an external lookup relies on an external script or command to retrieve data, which introduces latency and complexity for frequently updated data, and it does not natively support bidirectional updates like the KV Store. Option B is wrong because a geographic lookup is specifically designed for mapping IP addresses or coordinates to geographic locations, not for enriching authentication events with employee department information from a database. Option C is wrong because a CSV file lookup is static and requires manual reloading or a scheduled script to reflect changes, making it unsuitable for frequently updated data that needs real-time enrichment.

123
MCQeasy

A user notices that a calculated field defined in props.conf is not appearing in search results. Which of the following is the most likely cause?

A.The calculated field requires index-time field extraction.
B.The source fields used in the calculation are not extracted.
C.The calculated field is defined in a field alias configuration.
D.The indexer is not configured to apply calculated fields.
AnswerB

Calculated fields depend on source fields being available.

Why this answer

Calculated fields in Splunk are evaluated at search time based on existing extracted source fields. If the source fields referenced in the calculation are not extracted (e.g., due to missing or incorrect field extraction configurations), the calculated field will not appear in search results. Option B correctly identifies this dependency.

Exam trap

The trap here is that candidates often confuse calculated fields with index-time field extractions or field aliases, assuming the issue is with indexing or alias configuration rather than the fundamental dependency on source field extraction.

How to eliminate wrong answers

Option A is wrong because calculated fields are search-time constructs, not index-time; they do not require index-time field extraction. Option C is wrong because a calculated field is defined in props.conf under the [EVAL-<fieldname>] stanza, not in a field alias configuration (which uses [fieldalias] in transforms.conf). Option D is wrong because calculated fields are applied by the search head during search-time processing, not by the indexer; indexers handle indexing and raw data storage, not calculated field evaluation.

124
MCQmedium

An analyst runs `| inputlookup mylookup.csv` but gets no results. The lookup file exists. What is the most likely cause?

A.The file is not in the correct lookup directory.
B.The search time range is too narrow.
C.The lookup command requires an output fields.
D.The file is not sorted.
AnswerA

The file must be in the lookup directory specified in props.conf or the default lookups folder.

Why this answer

The `| inputlookup` command reads lookup files only from the lookups directory within the current app or from the system-level lookups directory. If the file exists elsewhere on the filesystem (e.g., in a custom path or the user's home directory), the command will return no results. This is the most likely cause because the error is not about the file's existence but about its location relative to Splunk's expected lookup paths.

Exam trap

Splunk often tests the misconception that `| inputlookup` works like a standard file read command, leading candidates to overlook the strict directory requirement and instead blame time range or file formatting issues.

How to eliminate wrong answers

Option B is wrong because `| inputlookup` does not depend on the search time range; it loads the entire static lookup file regardless of time. Option C is wrong because `| inputlookup` does not require an `outputfields` argument; it returns all fields in the lookup file by default. Option D is wrong because lookup files do not need to be sorted for `| inputlookup` to work; sorting is only relevant for certain lookup operations like `| lookup` with `max_matches` or performance optimizations, not for basic file loading.

← PreviousPage 2 of 2 · 124 questions total

Ready to test yourself?

Try a timed practice session using only Fields Lookups questions.