CCNA Reports Dashboards Questions

75 of 123 questions · Page 1/2 · Reports Dashboards topic · Answers revealed

1
MCQhard

Refer to the exhibit. The timechart returns only partial results for some sourcetypes, and there are gaps in the timeline. Which is the most likely reason?

A.The timechart span=1h conflicts with the tstats span
B.The tstats command only uses summary data, which may not cover all time ranges
C.The sourcetype field is not summarized
D.The where clause is invalid
AnswerB

summariesonly=t restricts tstats to precomputed summaries; if the summary is incomplete, results will have gaps.

Why this answer

The `tstats` command in Splunk operates on indexed-time summary data stored in the tsidx files, not on raw events. This summary data is generated during indexing based on the data model acceleration or summary indexing configuration, and it may not cover all time ranges if the acceleration has not been built for those periods or if the data model is not fully accelerated. As a result, `tstats` can return partial results and gaps in the timeline, especially when the time range extends beyond the accelerated data coverage.

Exam trap

Splunk often tests the misconception that `tstats` behaves like `search` or `stats` and can access all raw events, but the trap here is that candidates overlook the fact that `tstats` is limited to summary data and may not cover all time ranges if acceleration is incomplete or not configured.

How to eliminate wrong answers

Option A is wrong because the `timechart span=1h` does not conflict with the `tstats span`; `tstats` does not have a `span` argument — it uses the `_time` field and the `timechart` command applies its own binning after `tstats` returns results, so no conflict exists. Option C is wrong because the `sourcetype` field is a default indexed field that is always summarized in the tsidx files, so it is available for `tstats` to use. Option D is wrong because the `where` clause in the exhibit is syntactically valid (e.g., `where sourcetype=access_*` is a valid pattern match), and there is no indication of an invalid syntax or runtime error.

2
Multi-Selectmedium

Which THREE best practices should be followed when creating dashboards for a large organization with many users?

Select 3 answers
A.Use scheduled searches instead of real-time to reduce load
B.Limit the number of panels to avoid clutter and improve performance
C.Use multiple base searches per panel for flexibility
D.Apply role-based access controls to dashboard elements
E.Use exclusively real-time searches for up-to-date data
AnswersA, B, D

Scheduled searches minimize real-time indexer load and are recommended for large environments.

Why this answer

Option A is correct because scheduled searches run at defined intervals and cache results, reducing the load on indexers and search heads compared to real-time searches that continuously stream data. This is especially important in large organizations with many users, as real-time searches can consume significant system resources and degrade performance for all users.

Exam trap

Splunk often tests the misconception that using multiple base searches per panel provides flexibility, but in reality it increases load and complexity, and the best practice is to minimize base searches and use post-process searches or chain searches instead.

3
Multi-Selecthard

Which TWO are valid methods to share a dashboard with other users without granting them edit permissions?

Select 2 answers
A.Embed the dashboard in an external website
B.Clone the dashboard and give the clone to users
C.Add the dashboard to a dashboard group with view permissions
D.Share the dashboard's URL with users who have read access
E.Export the dashboard as a PDF and email it
AnswersC, D

Controls access.

Why this answer

Option C is correct because Splunk allows you to add a dashboard to a dashboard group and set the group's permissions to 'read' (view) only. This grants users access to view the dashboard without the ability to edit it, as edit permissions are controlled separately via roles and object-level ACLs.

Exam trap

The trap here is that candidates confuse 'sharing a URL' (which only works if the user already has read access) with a permission-granting method, and they overlook that cloning does not automatically restrict edit permissions—it creates a new dashboard the recipient can edit unless permissions are explicitly set.

4
MCQhard

A compliance report must show the average latency per service for each hour over the past 30 days. The data set contains millions of events. To ensure the report finishes within a reasonable time, which approach is recommended?

A.Use the tstats command over a data model
B.Use timechart span=1h avg(latency) by service
C.Use stats avg(latency) by service, _time span=1h
D.Pre-process data using a summary index that runs hourly
AnswerA

tstats leverages acceleration and is optimized for large datasets.

Why this answer

The tstats command is optimized for use with data models and runs on indexed fields in the tsidx files, making it far faster than stats or timechart on raw events for large datasets. By pre-defining a data model with the latency field and using tstats, you avoid scanning millions of raw events and instead query pre-aggregated statistics, ensuring the report completes within a reasonable time.

Exam trap

Splunk often tests the misconception that timechart or stats with span is sufficient for large datasets, but the trap here is that candidates overlook the performance advantage of tstats over a data model, which is specifically designed for high-speed aggregation on massive datasets.

How to eliminate wrong answers

Option B is wrong because timechart operates on raw events, requiring a full scan of all events over 30 days, which is inefficient for millions of events and will likely time out or run slowly. Option C is wrong because stats with _time span=1h also processes raw events and does not leverage any pre-computed indexes or data models, leading to the same performance issue. Option D is wrong because while a summary index can improve performance, the question asks for an approach that ensures the report finishes within a reasonable time given the existing data set, and pre-processing with a summary index requires additional setup and maintenance; the recommended approach for immediate use is tstats over a data model.

5
MCQmedium

An IT administrator has a dashboard with multiple panels that all use the same base search but with different post-processing filters. The dashboard is slow to load. Which optimization technique is most effective?

A.Implement a base search and use post-process searches
B.Remove data model acceleration from the underlying data
C.Enable report acceleration on each panel
D.Duplicate the base search in each panel
AnswerA

Base search runs once and feeds to post-process panels, improving performance.

Why this answer

Option B is correct because using a base search with post-process searches reduces duplication of search execution. Option A is wrong because adding more panels increases load. Option C is wrong because report acceleration is for single reports, not base searches.

Option D is wrong because removing data model acceleration won't help.

6
Multi-Selectmedium

Which two of the following are actions that can be performed on a report after it is created? (Choose two.)

Select 2 answers
A.Modify its search query
B.Delete it from the index
C.Embed it in a dashboard
D.Convert it to an alert
E.Schedule it
AnswersC, E

You can add a report as a dashboard panel.

Why this answer

Option C is correct because reports in Splunk can be embedded into dashboards as panels, allowing users to visualize report results directly within a dashboard context. This is done by adding a report panel to a dashboard XML or using the dashboard editor, which references the saved report's search ID (SID) to render the data.

Exam trap

Splunk often tests the distinction between actions that modify a report's definition (like editing the search query) versus actions that use the report as a data source (like embedding or scheduling), leading candidates to incorrectly select 'Modify its search query' as a separate post-creation action when it is actually part of editing the report.

7
Multi-Selecteasy

A user wants to add a panel to an existing dashboard in Splunk. Which TWO of the following methods can be used to achieve this?

Select 2 answers
A.From the dashboard, click 'Clone Panel' on an existing panel.
B.From the dashboard listing, click 'Edit' and then 'Import Panel'.
C.From the search app, click 'Add to Dashboard' after running a search.
D.From a search results page, click 'Save As' and select 'Dashboard Panel'.
E.From the dashboard, click 'Edit Dashboard' then 'Add Panel'.
AnswersD, E

This allows you to save a search as a dashboard panel, adding it to a dashboard.

Why this answer

The correct methods are using 'Edit Dashboard' and 'Add Panel' (Option A) and 'Save As' then selecting 'Dashboard Panel' (Option B). The other options are not standard or do not add a new panel.

8
MCQmedium

A user created a dashboard panel with a search that uses a token. The token is not being applied when the user modifies the dropdown. What is the most likely cause?

A.The input has a default value that overrides user selections
B.The dashboard is set to 'disabled' mode
C.The token name in the search does not match the token in the input
D.The panel is set to 'static'
AnswerC

Token names are case-sensitive and must match exactly for the input to control the search.

Why this answer

Option C is correct because for a token to dynamically filter search results in a Splunk dashboard, the token name referenced in the search string (e.g., `$token_name$`) must exactly match the token name defined in the input's `token` attribute. If these names differ, the search will not receive the selected value, and the token will appear unapplied.

Exam trap

Splunk often tests the candidate's attention to detail by presenting a scenario where the token appears correctly configured but the names are subtly mismatched (e.g., case sensitivity or extra characters), leading candidates to overlook the exact token name alignment.

How to eliminate wrong answers

Option A is wrong because a default value does not override user selections; it only sets the initial value before the user interacts, and once the user selects a new value, the token updates. Option B is wrong because 'disabled' mode prevents the dashboard from running searches at all, not just failing to apply a token from a dropdown. Option D is wrong because a 'static' panel does not run a search, so the token mismatch would not be the issue; the panel would simply display static content regardless of token changes.

9
MCQmedium

An analyst creates a dashboard with multiple panels. One panel shows a table of top users by login count. The analyst wants to add a second panel that updates based on the user clicked in the first panel. Which feature should be used?

A.Schedule the first panel as a report and the second as a related report.
B.Enable drilldown on the first panel to set a token, and reference that token in the second panel's search.
C.Use the same chart type for both panels to ensure consistency.
D.Set both panels to use the same time range picker.
AnswerB

Token passing enables inter-panel communication.

Why this answer

Drilldown in Splunk allows you to pass context from one panel to another by setting tokens when a user clicks on a value. The first panel's drilldown can set a token (e.g., `$clicked_user$`) which is then referenced in the second panel's search using `| search user=$clicked_user$`. This enables dynamic filtering without requiring separate reports or manual interaction.

Exam trap

The trap here is that candidates confuse visual consistency (same chart type) or time synchronization with the interactive data-linking capability that only drilldown and tokens provide.

How to eliminate wrong answers

Option A is wrong because scheduling panels as reports does not enable interactive cross-panel filtering; reports are static snapshots, not dynamic linked views. Option C is wrong because using the same chart type ensures visual consistency but has no effect on data interaction or token passing between panels. Option D is wrong because setting both panels to the same time range picker only synchronizes time selection, not user-specific click interactions.

10
MCQhard

A power user creates a dashboard with a panel that uses a search returning 10,000 events. The dashboard should display a single value representing the count of unique users. Which search approach is most efficient?

A.Search index=main | eval user=lower(user) | stats dc(user)
B.Search index=main | fields user | dedup user | stats count
C.Search index=main | stats dc(user) as unique_users
D.Search index=main | table user | stats dc(user)
AnswerC

stats dc(user) efficiently counts unique users without returning all events.

Why this answer

Option A is correct because using | stats dc(user) reduces data early, reducing memory. Option B is wrong because bringing back all events is inefficient. Option C is wrong because eval is unnecessary and adds complexity.

Option D is wrong because | table on a large result set uses more memory.

11
MCQeasy

A security analyst creates a dashboard to monitor failed login attempts over the past 24 hours. Which visualization type is most appropriate for showing the trend of failed logins over time?

A.Line chart
B.Single value
C.Pie chart
D.Scatter plot
AnswerA

Line charts are ideal for showing trends over time.

Why this answer

A line chart is the most appropriate visualization for showing the trend of failed login attempts over time because it plots continuous data points along a time axis, allowing the analyst to easily identify patterns, spikes, or declines in the event count. In Splunk, a timechart command (e.g., `timechart count by action`) generates data that is best rendered as a line chart to display the temporal progression of failed logins over the past 24 hours.

Exam trap

Splunk often tests the misconception that a pie chart can show changes over time because it visually represents parts of a whole, but the trap here is that pie charts are static and cannot display temporal trends, leading candidates to incorrectly choose it for time-series data.

How to eliminate wrong answers

Option B (Single value) is wrong because it displays only a single aggregated number (e.g., total failed logins) and cannot show changes or trends over time, which is the core requirement. Option C (Pie chart) is wrong because it is designed to show proportions of a whole at a single point in time, not trends across a time range; using it for time-series data would obscure temporal patterns. Option D (Scatter plot) is wrong because it is used to show the relationship between two numerical variables (e.g., correlation), not to display a single metric's progression over a continuous time axis, and it would not clearly convey the trend of failed logins.

12
Multi-Selecteasy

Which two of the following are valid ways to create a report in Splunk? (Choose two.)

Select 2 answers
A.Convert a dashboard panel to a report
B.Schedule an alert
C.Save a search as a report
D.Import an external CSV as a report
E.Use the Report Builder
AnswersC, E

This is the primary method to create a report from an existing search.

Why this answer

Option C is correct because Splunk allows you to save any search as a report directly from the Search & Reporting app. When you run a search and click 'Save As' > 'Report', Splunk stores the search string, time range, and visualization settings as a reusable report object in the knowledge object store. This is a fundamental method for creating reports in Splunk.

Exam trap

The trap here is that candidates often confuse saving a search as a report with converting a dashboard panel, not realizing that Splunk only supports converting reports into dashboard panels, not the reverse.

13
MCQmedium

Refer to the exhibit. This search produces a table with hosts as rows and status codes as columns. The user wants to visualize this as a stacked column chart showing the distribution of status codes per host. Which chart type should be selected?

A.Stacked column chart
B.Line chart
C.Pie chart
D.Scatter chart
AnswerA

Shows composition per host.

Why this answer

A stacked column chart is the correct choice because the search result is a table with hosts as rows and status codes as columns, representing categorical data (hosts) with multiple subcategories (status codes) that sum to a total per host. The stacked column chart visually shows the distribution of each status code within each host, allowing comparison of both the total count per host and the relative contribution of each status code. This aligns with Splunk's visualization best practices for multi-series categorical data where the sum of parts equals a whole.

Exam trap

The trap here is that candidates may choose a pie chart thinking it shows 'distribution,' but they overlook that a pie chart cannot handle multiple categories (hosts) simultaneously, whereas a stacked column chart correctly represents the hierarchical breakdown per host.

How to eliminate wrong answers

Option B is wrong because a line chart is designed for continuous data over time or a sequential axis, not for categorical comparisons of hosts and status codes where the x-axis is non-numeric. Option C is wrong because a pie chart can only show the proportion of a single categorical variable (e.g., total status codes across all hosts) and cannot represent multiple hosts as separate slices with sub-slices for status codes. Option D is wrong because a scatter chart requires two numeric fields for x and y axes to plot points, but the data here consists of categorical hosts and numeric counts of status codes, lacking a second numeric variable for correlation.

14
MCQeasy

A user wants to create a dashboard panel that refreshes automatically every 60 seconds. Which setting must be configured in the panel's edit mode?

A.Add | delay 60 to the search
B.Set the Refresh Interval to 60 seconds
C.Schedule the search to run every 60 seconds
D.Set the Time Range to Last 60 seconds
AnswerB

Directly sets the auto-refresh time.

Why this answer

Option B is correct because the dashboard panel's edit mode includes a 'Refresh Interval' setting that allows you to specify an automatic refresh period in seconds. Setting this to 60 causes the panel to re-run its underlying search and update the visualization every 60 seconds without manual intervention.

Exam trap

The trap here is that candidates confuse the 'Refresh Interval' setting in dashboard panel edit mode with scheduling a search or adjusting the time range, assuming any periodic behavior must involve a scheduled search or a time-based command.

How to eliminate wrong answers

Option A is wrong because the | delay command is not a valid Splunk SPL command; it does not exist and would cause a search error. Option C is wrong because scheduling a search to run every 60 seconds applies to saved searches and alerts, not to dashboard panel auto-refresh; dashboard panels use the Refresh Interval setting, not search scheduling. Option D is wrong because setting the Time Range to 'Last 60 seconds' only controls the time window of data retrieved, not the frequency at which the panel refreshes; the panel would still only refresh when manually triggered or if a separate refresh interval is configured.

15
MCQmedium

A dashboard designer adds a radio button input to filter by department. When a user selects a department, the panel does not update. What is the most likely cause?

A.The radio button input is not configured with a default value
B.The token name in the search does not match the input's token name
C.The search string does not include a token referencing the input
D.The input's label field is empty
AnswerC

Without a token reference, changing the input has no effect on the search.

Why this answer

Option C is correct because the search must include a token reference like $department$ to use the input value. Option A is wrong because the radio button may or may not require changes to XML; the core issue is token usage. Option B is wrong because token name mismatch is a possible issue, but a missing token reference is more fundamental.

Option D is wrong because the input label has no effect on search.

16
MCQeasy

In Splunk Web, which option allows a user to save a search result as a report that can be added to a dashboard later?

A.Click 'Save As' and select 'Report'.
B.Click 'Save As' and select 'Search'.
C.Click 'Save As' and select 'Alert'.
D.Click 'Save As' and select 'Dashboard Panel'.
AnswerA

This creates a report that can later be added to a dashboard as a panel.

Why this answer

Option A is correct because in Splunk Web, the 'Save As' menu provides a direct option to save a search result as a report. A report is a saved search that can be reused, scheduled, and added to dashboards as a dashboard panel later. This workflow is the standard method for creating a persistent search artifact that can be visualized on a dashboard.

Exam trap

The trap here is that candidates may confuse 'Save As > Report' with 'Save As > Dashboard Panel', but Splunk requires you to save the search as a report first before you can add it to a dashboard, or use the 'Add to Dashboard' button from the search results page.

How to eliminate wrong answers

Option B is wrong because selecting 'Search' under 'Save As' does not exist; the correct terminology is 'Report' for saving a search result. Option C is wrong because 'Alert' is used to trigger actions based on search results meeting certain conditions, not to save a search result as a reusable report for dashboards. Option D is wrong because 'Dashboard Panel' is not a direct save option; you first save a report, then add it to a dashboard as a panel, or you can create a dashboard panel directly from a search using the 'Add to Dashboard' option, but 'Save As' does not offer 'Dashboard Panel'.

17
MCQhard

A dashboard uses tokens for time range selection. The admin wants to ensure that when a user changes the time range picker from 'Last 24 hours' to 'Last 7 days', all panels in the dashboard update accordingly. What is the correct way to define the token in Simple XML?

A.Define a token $range$ in the time range picker's onChange event.
B.Use the default time range tokens $earliest$ and $latest$ without additional definition.
C.Define a custom token $time_range$ and bind the time range picker to it, then reference $time_range$ in each panel's search.
D.Set the token $timePicker$ in the dashboard's init block.
AnswerB

The default tokens are automatically updated by the time range picker.

Why this answer

Option B is correct because Splunk's Simple XML automatically provides the default time range tokens $earliest$ and $latest$ that are updated whenever the time range picker is changed. These tokens are implicitly bound to the dashboard's time picker, so no additional definition or event handler is needed for all panels to reflect the new time range.

Exam trap

Splunk often tests the misconception that custom tokens or explicit event handlers are required to propagate time range changes, when in fact the default $earliest$ and $latest$ tokens are automatically bound to the time picker and update all panels seamlessly.

How to eliminate wrong answers

Option A is wrong because the time range picker does not have an onChange event; tokens are updated automatically by the framework, and defining a token in an onChange event is unnecessary and not a standard Simple XML approach. Option C is wrong because defining a custom token and binding it to the time range picker is redundant; the default $earliest$ and $latest$ tokens already handle the time range propagation, and custom tokens would require manual binding in each panel's search, which is error-prone. Option D is wrong because there is no $timePicker$ token or init block in Simple XML for time range selection; the time range is managed through the default tokens and the dashboard's time picker element, not a custom init block.

18
Multi-Selectmedium

Which of the following are true about creating and managing dashboards in Splunk? (Choose all that apply. There are four correct answers.)

Select 4 answers
.A dashboard can include panels based on reports, inline searches, or both.
.A dashboard panel can display data using visualizations such as charts, tables, and maps.
.A dashboard can be created from scratch using the Dashboard Editor without any existing search.
.When editing a dashboard, you can set permissions to control which users can view or edit it.
.All dashboards must be based on a saved report before they can be created.
.Dashboards can only contain up to five panels per dashboard.

Why this answer

All four selected options are correct because Splunk dashboards are flexible: they can combine panels from saved reports and inline searches, support multiple visualization types (charts, tables, maps), can be built from scratch using the Dashboard Editor without requiring a pre-existing search, and allow permission settings to control user access and editing rights. These features are core to Splunk's dashboard functionality as documented in the Splunk Dashboard documentation.

Exam trap

The trap here is that candidates often assume dashboards require pre-existing saved reports or have arbitrary panel limits, but Splunk explicitly supports inline searches and has no fixed panel count restriction.

19
MCQmedium

An analyst needs to see the top 5 error codes by count. Which visualization is most appropriate?

A.Pie chart
B.Line chart
C.Bar chart
D.Single Value
AnswerC

Bar charts display categories side-by-side, making comparisons easy.

Why this answer

A bar chart is the most appropriate visualization for comparing the count of distinct error codes because it allows easy comparison of categorical data (error codes) against a numeric value (count). In Splunk, the `top` command or `stats count by error_code` produces results that are best visualized with a bar chart to show the relative frequency of each error code, and the chart can be limited to the top 5 by setting the limit in the search or chart properties.

Exam trap

The trap here is that candidates often choose a pie chart because they think of 'top 5' as parts of a whole, but Splunk's exam emphasizes that bar charts are better for comparing counts across categories, especially when the categories are not mutually exclusive or when precise comparison is needed.

How to eliminate wrong answers

Option A is wrong because a pie chart is used to show proportions of a whole, but when comparing the top 5 error codes by count, a bar chart provides a clearer comparison of exact counts without the distortion of angles or areas, especially when counts are similar. Option B is wrong because a line chart is designed to show trends over a continuous time series, not discrete categorical comparisons like error codes; using it here would misrepresent the data as having a sequential order. Option D is wrong because a Single Value visualization displays only one aggregate metric (e.g., total count), not the top 5 individual error codes and their counts, so it cannot show the required breakdown.

20
MCQhard

A report uses `| timechart count by action`. The user wants to show only the top 3 actions and combine all others into a single 'Other' column. Which argument should be added?

A.`limit=3 useother=t`
B.`limit=3`
C.`useother=t`
D.`other=t`
AnswerA

This limits to top 3 and groups remaining as 'Other'.

Why this answer

The `timechart` command in Splunk uses the `limit` argument to control the number of distinct series (columns) displayed. Adding `limit=3` restricts the output to the top 3 values by count, and `useother=t` automatically groups all remaining values into a single 'Other' column. Without `useother=t`, the extra values are simply dropped, not aggregated.

Exam trap

Splunk often tests the distinction between `limit` (which truncates data) and `useother` (which aggregates leftovers), and candidates mistakenly think `limit` alone will create an 'Other' column.

How to eliminate wrong answers

Option B is wrong because `limit=3` alone only shows the top 3 actions and discards all others without combining them into an 'Other' column. Option C is wrong because `useother=t` without a `limit` argument defaults to showing all series (up to 10 by default) and does not restrict to the top 3. Option D is wrong because `other=t` is not a valid argument for `timechart`; the correct parameter is `useother`.

21
MCQeasy

A user wants to create a dashboard panel that shows a single number representing the total number of errors in the last 24 hours. Which visualization type should be used?

A.Single value
B.Pie chart
C.Bar chart
D.Line chart
AnswerA

Single value visualization displays one number, fitting the requirement.

Why this answer

A Single Value visualization is designed to display a single numeric metric prominently, making it the ideal choice for showing the total number of errors in the last 24 hours. It directly answers the user's requirement for a single number without any additional chart elements or time-series context.

Exam trap

The trap here is that candidates may confuse a Single Value with a Line chart or Bar chart because they think 'errors over time' requires a trend, but the question explicitly asks for a single number representing the total, not a trend.

How to eliminate wrong answers

Option B (Pie chart) is wrong because pie charts are used to show proportions or percentages of a whole across categories, not a single aggregated count. Option C (Bar chart) is wrong because bar charts compare values across multiple categories or time periods, whereas the requirement is for a single total number. Option D (Line chart) is wrong because line charts display trends over time, which would be unnecessary and misleading for a single aggregated value like total errors in the last 24 hours.

22
MCQmedium

A security analyst needs to create a report that shows the count of failed login attempts by user over the last 24 hours, updated every hour. The report should be accessible to the SOC team but not to other users. Which sequence of steps should the analyst follow?

A.Run the search, click 'Save As' -> 'Report', set schedule to hourly, then create an alert action to email the report to the SOC team.
B.Run the search, click 'Save As' -> 'Report', set permissions to 'Shared in App' with SOC role, then 'Schedule' hourly.
C.Run the search, click 'Save As' -> 'Dashboard Panel', add to a SOC dashboard, then schedule the dashboard.
D.Run the search, click 'Save As' -> 'Alert', set permissions to private, then schedule the alert to trigger hourly.
AnswerB

Correct workflow for a scheduled report with restricted access.

Why this answer

Option A is correct because saving as a report and scheduling it with appropriate permissions ensures the SOC team can access it without exposing it to others. Option B is wrong because saving as a dashboard panel does not create a scheduled report. Option C is wrong because alerts are not reports.

Option D is wrong because creating an alert action to email defeats the purpose of on-demand access.

23
Multi-Selecthard

A dashboard panel uses a search that returns time-series data. Which TWO chart options are available in the 'Format' tab of the chart editor to modify the appearance of a line chart? (Choose two.)

Select 2 answers
A.Connect missing data
B.Line style (solid, dashed, dotted)
C.Pie area
D.Stack mode
E.Gauge style
AnswersA, B

This option controls whether to interpolate missing data points.

Why this answer

Option A is correct because the 'Connect missing data' setting in the Format tab of the chart editor allows you to bridge gaps in time-series data by drawing a line across null or missing values. This is useful when your search returns sparse data points and you want a continuous visual line, rather than breaks in the chart.

Exam trap

Splunk often tests the distinction between formatting options that are specific to a chart type (e.g., line chart) versus those that belong to other chart types (e.g., area, gauge), leading candidates to mistakenly select 'Stack mode' or 'Gauge style' because they are common formatting terms in other contexts.

24
MCQeasy

A developer wants to display server CPU usage that updates every second on a dashboard. Which panel configuration is appropriate?

A.Add a chart panel with time range set to 'Real-time' and refresh set to 'Real-time'
B.Add a statistics table with real-time search
C.Add a chart panel with refresh set to 1 second and time range -1m
D.Add a single value panel with refresh set to 1s
AnswerA

This creates a real-time chart that continuously updates.

Why this answer

Option D is correct: a chart panel with time range set to 'Real-time' and refresh set to 'Real-time' provides a continuously updating visualization. Option A (single value) can be real-time but is not the standard for time-series; Option B uses a statistics table which is less visual; Option C has a refresh interval but not real-time.

25
MCQmedium

A security analyst creates a report that shows the count of failed login attempts by user over the last 7 days. The report uses the `top` command. However, the report only shows the top 10 users, but the analyst wants to see all users. What should the analyst do?

A.Add the `limit=0` argument to the `top` command.
B.Use the `rare` command instead.
C.Change the time range to include more data.
D.Use the `stats count by user` command and sort descending.
AnswerA

Adding `limit=0` removes the default 10-row limit, showing all users.

Why this answer

The `top` command in Splunk defaults to showing the top 10 results. Adding `limit=0` removes this limit, displaying all users with failed login attempts. This is the correct approach because `top` already counts occurrences and sorts them, so the analyst only needs to override the default limit.

Exam trap

The trap here is that candidates may think `limit=0` is invalid or that changing the time range will show more results, but the default limit of 10 is the core issue, and `limit=0` is the correct way to remove it.

How to eliminate wrong answers

Option B is wrong because the `rare` command shows the least common values, not all values, and would not display all users. Option C is wrong because the time range does not affect the number of results shown by `top`; it only affects the data being searched. Option D is wrong because while `stats count by user` and sorting descending would show all users, it is a different approach that requires additional syntax; the question specifically asks what to do with the existing `top` command, not how to rewrite the search.

26
MCQeasy

When creating a dashboard panel that displays a line chart of CPU usage over time, which visualization option should be used to show multiple series (each CPU core) with different colors?

A.Overlay
B.Line mode
C.Stacking
D.Markers
AnswerA

Overlay enables multiple series with distinct colors.

Why this answer

Option A is correct because the 'Overlay' visualization option in Splunk allows you to display multiple data series (e.g., each CPU core) as separate lines on the same chart, each with a distinct color. This is essential for comparing CPU usage across cores over time without merging or stacking the values, which would obscure individual core behavior.

Exam trap

Splunk often tests the confusion between 'Overlay' and 'Stacking', where candidates mistakenly choose 'Stacking' thinking it will show multiple series, but it actually aggregates them into a single cumulative area, losing individual core visibility.

How to eliminate wrong answers

Option B (Line mode) is wrong because it controls whether the chart displays lines, markers, or both, but does not enable multiple series with different colors; it only affects the rendering style of a single series. Option C (Stacking) is wrong because it aggregates multiple series by stacking their values on top of each other, which would show cumulative CPU usage rather than individual core performance, making it impossible to distinguish each core's trend. Option D (Markers) is wrong because it adds data point indicators (e.g., dots) to the line chart but does not introduce multiple series or color differentiation; it only enhances the visibility of individual data points.

27
MCQhard

Refer to the exhibit. The dashboard panel is not displaying data when the input changes. What is the most likely cause?

A.The input uses `searchWhenChanged="true"` which prevents dashboard loading.
B.The search uses `timechart` which requires a time field.
C.The chart type is not specified.
D.The token name in the search is "$token$" but the input token is "source".
AnswerD

Token names must match; the search uses the wrong token name.

Why this answer

Option A is correct because the token in the search is `$token$` but the input defines the token as `source`. Token names must match.

Option B is incorrect because `searchWhenChanged="true"` triggers a search when the input changes, which is correct.

Option C is incorrect because a chart type is not required; it defaults to a column chart.

Option D is incorrect because `timechart` uses `_time` by default, so a time field is not missing.

28
Multi-Selecteasy

Which THREE are essential components of a Splunk dashboard?

Select 3 answers
A.Panels (e.g., charts, tables)
B.Inputs (e.g., dropdowns, time pickers)
C.Reports (saved searches)
D.Alerts (scheduled actions)
E.Searches (embedded or referenced)
AnswersA, B, E

Core visual elements.

Why this answer

Panels are the fundamental visual building blocks of a Splunk dashboard. Each panel displays data using a visualization type such as a chart, table, single value, or map, and is powered by either an inline search or a referenced saved search. Without panels, a dashboard would have no content to present to the user.

Exam trap

Splunk often tests the distinction between 'essential dashboard components' and 'optional dashboard features' — the trap here is that candidates confuse saved searches (reports) and alerts as being part of the dashboard structure, when in fact they are separate Splunk knowledge objects that can be used by dashboards but are not required.

29
MCQhard

A report is scheduled to run every hour but sometimes returns incomplete data because the search is too slow and times out. Which action should be taken to improve reliability without losing data?

A.Use a summary index to pre-aggregate data
B.Add the 'lazy' command to defer computation
C.Reduce the time range to the last 30 minutes
D.Increase the search auto-finalization time
AnswerA

Pre-aggregating data into a summary index makes searches much faster and avoids timeouts.

Why this answer

A summary index pre-aggregates data at search time, storing the results in a separate index. When the report runs, it queries the summary index instead of the raw data, which is much faster and avoids timeouts. This ensures all data is captured because the summary is built incrementally from the full data set, not by sampling or truncating.

Exam trap

Splunk often tests the misconception that extending timeouts or reducing data scope is a valid fix for performance issues, but the correct approach is to pre-aggregate data to avoid scanning raw events entirely.

How to eliminate wrong answers

Option B is wrong because there is no 'lazy' command in SPL; this is a fabricated option that does not exist. Option C is wrong because reducing the time range to the last 30 minutes would cause data loss—the report would only cover a subset of the intended hour, not improve reliability. Option D is wrong because increasing the search auto-finalization time only extends the timeout window; it does not address the root cause of slow search performance and may still result in incomplete data if the search cannot complete within the new limit.

30
MCQmedium

A large e-commerce company uses Splunk Enterprise to analyze sales data. The marketing team requests a real-time dashboard showing total revenue per product category, updated every 5 seconds. A new Splunk user creates a dashboard panel with the search `index=sales | stats sum(price) by category | sort - sum(price)`. The dashboard works initially, but after 30 minutes, it stops updating and displays the error 'Search failed: too many results'. The user is concerned about the impact on system performance. The data volume is approximately 1 TB per day. Which of the following should the user do to create a reliable dashboard that updates frequently without causing performance issues?

A.Create a scheduled summary search that aggregates sales data by category every 5 minutes, and use the 'loadjob' command in the dashboard to load the summary results.
B.Use the 'streamstats' command to incrementally calculate revenue and limit the time range to the last 5 minutes to reduce the result set.
C.Reduce the search to only show the top 5 categories by using 'head 5' and set a 5-second auto-refresh on the dashboard.
D.Change the search to use the 'timechart' command with 'span=5s' and set the search to real-time mode.
AnswerA

Summary indexing pre-computes the aggregation, reducing the load on indexers and allowing the dashboard to refresh quickly without heavy searches.

Why this answer

Creating a scheduled summary search that pre-aggregates data every 5 minutes and then using 'loadjob' in the dashboard is the most efficient approach. It reduces the load on the indexers and allows the dashboard to refresh frequently with minimal performance impact. Option A would exacerbate the problem because real-time searches are resource-intensive.

Option B still runs a large search every refresh. Option D uses incremental computation but still requires scanning the full data set.

31
MCQmedium

A dashboard panel using a bar chart shows a large number of values on the x-axis, making the chart unreadable. Which dashboard option should be used to limit the number of bars shown?

A.Overlay in the chart options
B.Color by field in the chart options
C.Stack mode in the chart options
D.Limit in the chart options
AnswerD

Limit property restricts the number of data points displayed.

Why this answer

Option D is correct because the 'Limit' option in the chart configuration allows you to specify the maximum number of data points (bars) displayed on the x-axis. By setting a limit, you reduce the number of bars shown, preventing overcrowding and making the chart readable. This is a direct control over the cardinality of the x-axis values in Splunk's visualization settings.

Exam trap

The trap here is that candidates often confuse 'Limit' with visual formatting options like 'Overlay' or 'Stack mode', thinking they can fix overcrowding by changing chart style rather than reducing the data volume.

How to eliminate wrong answers

Option A is wrong because 'Overlay' is used to superimpose another data series (e.g., a line chart) on top of the existing chart, not to control the number of bars. Option B is wrong because 'Color by field' assigns different colors to data points based on a field value, which can add visual distinction but does not limit the number of bars. Option C is wrong because 'Stack mode' controls how multiple series are stacked (e.g., stacked, grouped, or overlaid) in a bar chart, not the count of bars displayed.

32
MCQeasy

A small business uses Splunk to monitor their web server. They have a dashboard that shows daily page views. After a system update, the dashboard loads very slowly, often timing out. The dashboard uses a search that takes only 2 seconds when run manually. The dashboard has a time range picker set to 'Today'. The update changed some default settings. What is the most likely cause?

A.The index was renamed
B.The dashboard now uses real-time search
C.The search command changed to 'timechart'
D.The time range picker default was reset to 'All Time'
AnswerD

‘All Time’ searches across all data, causing slow load; the manual search likely used a limited range.

Why this answer

The dashboard was configured with a time range picker set to 'Today', but the system update reset the default to 'All Time'. This causes the search to scan all indexed data, dramatically increasing the data volume and search time, leading to timeouts. A manual search taking 2 seconds on a small time range becomes extremely slow when applied to the entire dataset, which is why the dashboard fails while the manual search still works.

Exam trap

Splunk often tests the misconception that a slow dashboard is caused by a heavy search command like 'timechart' or a real-time search, when the real culprit is an expanded time range that increases data volume exponentially.

How to eliminate wrong answers

Option A is wrong because renaming an index would cause the search to return no results or an error, not a slow-loading dashboard that times out. Option B is wrong because real-time search would continuously update the dashboard, but the manual search still completes in 2 seconds, indicating the issue is not with real-time vs historical search mode. Option C is wrong because changing to 'timechart' would alter the visualization but not inherently cause a timeout; the timechart command itself is not slow unless operating on a large dataset, which points back to the time range issue.

33
MCQeasy

A security analyst wants to create a report that shows the count of failed login attempts per user over the last 24 hours, but only for users with more than 5 failures. Which Splunk command sequence should be used?

A.index=main action=failure | top limit=5 user
B.index=main | stats count by user | where count > 5
C.index=main action=failure | stats count by user | search count > 5
D.index=main action=failure | stats count by user | where count > 5
AnswerD

Correctly filters failures, counts by user, and applies the threshold.

Why this answer

Option D is correct because it first filters events to only failed login attempts using `index=main action=failure`, then uses `stats count by user` to count failures per user, and finally applies `where count > 5` to keep only users with more than 5 failures. This sequence ensures the count is calculated only on the relevant subset of events and the filter is applied after aggregation.

Exam trap

The trap here is that candidates often confuse the `where` and `search` commands, thinking `search` is always required for filtering, or they forget to filter for `action=failure` before aggregating, leading to incorrect counts of all events instead of only failed logins.

How to eliminate wrong answers

Option A is wrong because `top limit=5 user` returns the top 5 users by count, not all users with more than 5 failures, and it does not filter by a threshold. Option B is wrong because it does not filter for `action=failure` first, so it counts all events per user, not just failed logins. Option C is wrong because `search count > 5` after `stats` is a suboptimal approach that works but is less efficient than `where`; however, the primary issue is that it uses `search` instead of `where` for post-stats filtering, which can be slower and is not the recommended Splunk best practice for this scenario.

34
MCQhard

You are a Splunk administrator for a large e-commerce company. The operations team uses a dashboard to monitor server health, which includes a single-value panel showing the current number of active users, a bar chart of error counts by service, and a table of recent critical log entries. Recently, users have reported that the dashboard loads very slowly, sometimes taking over 30 seconds to display all panels. The dashboard uses base search and post-process searches to reduce duplication. The base search retrieves all logs from the last 24 hours, and each panel runs a post-process search to filter and aggregate data. The dashboard is scheduled to refresh every 60 seconds. There are approximately 10 million events per day. After investigating, you notice that the base search returns a large amount of data, and each post-process search still processes a significant subset. Which approach would most effectively improve dashboard performance without significantly altering the dashboard's functionality?

A.Remove the table of critical log entries to reduce the number of post-process searches.
B.Change the base search to a real-time search so that the data is streamed continuously.
C.Increase the dashboard refresh interval to 300 seconds to reduce the frequency of searches.
D.Create a summary index that pre-aggregates logs by hour and service, then modify the base search to use the summary index and adjust post-process searches accordingly.
AnswerD

This significantly reduces the data volume processed by the dashboard, leading to faster load times while preserving the dashboard's functionality.

Why this answer

Option D is correct because creating a summary index that pre-aggregates logs by hour and service drastically reduces the volume of data the base search must process. Instead of scanning 10 million raw events per 60-second refresh, the base search queries pre-computed hourly summaries, and each post-process search operates on a much smaller, aggregated dataset. This approach preserves all dashboard panels and their functionality while addressing the root cause of slow performance: excessive data volume in the base search.

Exam trap

The trap here is that candidates often choose Option C (increasing the refresh interval) because it seems to reduce load, but they overlook that it does not fix the slow loading time per refresh; Splunk tests the understanding that performance improvements must address data volume, not just frequency.

How to eliminate wrong answers

Option A is wrong because removing the table of critical log entries reduces functionality and only eliminates one post-process search, leaving the underlying issue of a large base search and other post-process searches unchanged. Option B is wrong because real-time searches do not reduce data volume; they stream all incoming events continuously, which would likely increase load and slow the dashboard further. Option C is wrong because increasing the refresh interval to 300 seconds only reduces the frequency of searches, not the time each search takes; the dashboard will still load slowly on each refresh, and users will experience even longer delays between updates.

35
MCQhard

In a dashboard, a user wants to click on a bar in a chart and navigate to another dashboard with relevant data for that bar. Which feature should they configure?

A.Drilldown
B.Link to search
C.Custom URL
D.Tokens
AnswerA

Drilldown actions can set tokens and navigate to other dashboards.

Why this answer

Drilldown is the correct feature because it allows a user to click on a data point (e.g., a bar in a chart) and navigate to another dashboard, passing the relevant field values as tokens to filter the target dashboard's data. This is a built-in capability in Splunk dashboards, configurable via the 'Drilldown' editor or XML attributes like `drilldown` on chart elements.

Exam trap

The trap here is that candidates often confuse 'Link to search' with drilldown because both involve clicking, but 'Link to search' opens a search window rather than navigating to a dashboard, which is the specific requirement in the question.

How to eliminate wrong answers

Option B (Link to search) is wrong because it creates a link that opens a new Search & Reporting view with a predefined search string, not a navigation to another dashboard with context-specific data. Option C (Custom URL) is wrong because while it can link to an external URL, it does not inherently pass the clicked bar's field values as tokens to filter another dashboard; that requires manual token handling and is not the standard feature for dashboard-to-dashboard navigation. Option D (Tokens) is wrong because tokens are variables used to pass values within a dashboard or to a search, but they do not by themselves enable click navigation; they are a supporting mechanism for drilldown, not the feature that enables the click-to-navigate behavior.

36
MCQeasy

Refer to the exhibit. The report returns 0 results even though there are error events in the data. What is the most likely issue?

A.The stats command is misspelled
B.The time range is not set
C.The field name is 'error' but the data uses 'ERROR'
D.The CSV file has no header
AnswerC

Splunk searches are case-sensitive by default; 'error=*' will not match 'ERROR'.

Why this answer

Option C is correct because Splunk field names are case-sensitive. The search is looking for a field named 'error', but the CSV data contains a field named 'ERROR'. Since the field name does not match exactly, the `stats` command cannot find any events with the field 'error', resulting in zero results.

Renaming the field in the search using `rename ERROR as error` or adjusting the field name in the data would resolve this.

Exam trap

The trap here is that candidates often assume Splunk field names are case-insensitive, similar to how some databases handle column names, but Splunk treats them as case-sensitive, leading to zero results when the case does not match.

How to eliminate wrong answers

Option A is wrong because the `stats` command is spelled correctly in the search; a misspelling would cause a syntax error, not a zero-result issue. Option B is wrong because the time range is not the issue here; the search is over a CSV file, which is not time-bound, and the time range setting does not affect the field name mismatch. Option D is wrong because if the CSV file had no header, Splunk would assign default field names (e.g., field1, field2), and the search would still not find a field named 'error' unless the data itself contained that exact string in a field value, but the issue is specifically about field name case sensitivity.

37
MCQmedium

Refer to the exhibit. Which visualization would be most appropriate for this data?

A.Bar chart
B.Line chart
C.Pie chart
D.Single value
AnswerA

Bar chart clearly compares the count for each status code.

Why this answer

A bar chart is the most appropriate visualization for this data because the exhibit shows categorical data (e.g., sourcetypes, hosts, or error codes) with a single numeric value (count or sum). Bar charts excel at comparing discrete categories, and Splunk's default behavior for a `stats count by field` command is to render a bar chart in the visualization tab, making it the natural choice for this structured output.

Exam trap

Splunk often tests the misconception that any numeric data can be plotted on a line chart, but the trap here is that candidates overlook the categorical nature of the x-axis (e.g., sourcetypes or hosts) and assume a line chart is always the default for 'count' data, ignoring that line charts require a time-ordered or continuous dimension.

How to eliminate wrong answers

Option B (Line chart) is wrong because line charts are designed for continuous data over time (e.g., time-series trends), and the exhibit does not show a time-based x-axis; using a line chart here would imply a false relationship between independent categories. Option C (Pie chart) is wrong because pie charts are suitable for showing parts of a whole with a limited number of categories (typically fewer than 5–7), and the exhibit likely contains many categories, making the pie chart cluttered and hard to interpret; Splunk also discourages pie charts for high-cardinality fields. Option D (Single value) is wrong because a single value visualization displays one aggregated metric (e.g., total count), but the exhibit shows multiple rows of data, not a single summary value.

38
MCQhard

A dashboard uses a drilldown on a table to navigate to another dashboard. After migration to a different Splunk instance, the drilldown links are broken. What is the best practice to avoid this issue?

A.Use token variables like $host$ in the link
B.URL-encode the dashboard name
C.Use absolute URLs with the full server name
D.Use relative paths like /app/search/dashboard_name
AnswerD

Relative paths remain valid across instances.

Why this answer

Option D is correct because using relative paths (e.g., `/app/search/dashboard_name`) ensures that the drilldown link remains valid after migration to a different Splunk instance. Absolute URLs with the full server name (Option C) break when the hostname or port changes, while token variables like `$host$` (Option A) are not resolved in drilldown links. URL-encoding the dashboard name (Option B) is unnecessary because Splunk dashboard names are already URL-safe and encoding does not address the root cause of broken links.

Exam trap

The trap here is that candidates often confuse token variables (which work in searches) with drilldown link fields, leading them to choose Option A, or they mistakenly think URL-encoding (Option B) solves migration issues, when the real problem is the hardcoded hostname in absolute URLs.

How to eliminate wrong answers

Option A is wrong because token variables like `$host$` are not evaluated in drilldown link fields; they are only resolved in search strings or form inputs, not in static HTML links. Option B is wrong because URL-encoding the dashboard name does not fix the underlying issue of absolute host references; it only handles special characters, which are rarely present in dashboard names. Option C is wrong because absolute URLs with the full server name hardcode the host and port, which will break when the Splunk instance is migrated to a different server or port.

39
MCQmedium

Refer to the exhibit. The pie chart shows only 10 slices, but the base search stats returns all destinations. What is the reason?

A.The post-process search includes | top limit=10 dest
B.The eval command changes the dest field
C.The base search time range is too small
D.The charting option 'chart' is set to 'pie'
AnswerA

This command reduces the results to the top 10 destinations, causing only 10 slices.

Why this answer

The base search returns all destinations, but the pie chart shows only 10 slices because the post-process search uses the `| top limit=10 dest` command. The `top` command limits the results to the top 10 values of the `dest` field by count, and this post-process search is applied after the base search, so only those 10 slices are displayed in the pie chart.

Exam trap

The trap here is that candidates may think the pie chart itself limits the number of slices (option D) or that the base search time range is responsible, but the actual cause is the `| top limit=10` command in the post-process search, which explicitly restricts the output to 10 results.

How to eliminate wrong answers

Option B is wrong because the `eval` command changes or creates a field, but it does not inherently limit the number of results; it would not cause only 10 slices to appear. Option C is wrong because the time range of the base search affects the data retrieved, but it does not directly limit the number of distinct `dest` values to exactly 10; the pie chart would still show all destinations from that time range. Option D is wrong because setting the charting option 'chart' to 'pie' only defines the visualization type; it does not impose a limit on the number of slices shown.

40
Multi-Selecthard

Which three of the following are best practices for creating efficient dashboards? (Choose three.)

Select 3 answers
A.Use summary indexing to pre-aggregate data
B.Use base searches to avoid duplicating search logic
C.Use tokens to pass user input between panels
D.Use real-time searches to ensure data is current
E.Use the | map command to iterate over large result sets
AnswersA, B, C

Summary indexing reduces the amount of data each panel must scan.

Why this answer

Option A is correct because summary indexing pre-aggregates data at search time and stores the results in a summary index, which can then be searched much faster than the raw data. This drastically reduces the amount of data that must be scanned when rendering dashboard panels, especially for large datasets or long time ranges, improving dashboard load performance.

Exam trap

Splunk often tests the misconception that real-time searches are ideal for dashboards because they show the latest data, but the trap is that real-time searches are resource-intensive and not designed for repeated or shared dashboard use, whereas summary indexing provides efficient, pre-computed data for dashboards.

41
MCQhard

A dashboard includes a table showing server errors. The team wants to click a row and drill down to a detailed view of that server's events in a new search. Which configuration is required?

A.Enable row expansion in the table options
B.Add a link to the search in the table using 'Link to external resource'
C.Set the drilldown action to 'Search' in the table's edit panel
D.Use the `drilldown` search command in the underlying search
AnswerC

Configures drilldown to run a new search.

Why this answer

Option C is correct because setting the drilldown action to 'Search' in the table's edit panel configures the dashboard to open a new search when a row is clicked. This uses the selected row's field values (e.g., server name) to populate the new search, enabling a detailed view of that server's events. The drilldown action is a built-in feature of Splunk's Simple XML dashboards, not a search command or external link.

Exam trap

The trap here is that candidates confuse the `drilldown` configuration option in the dashboard editor with a non-existent SPL command, or they assume row expansion or external links can achieve the same interactive navigation, but only the 'Search' drilldown action correctly passes row context to a new Splunk search.

How to eliminate wrong answers

Option A is wrong because row expansion in table options only reveals hidden fields within the same table, it does not trigger a new search or navigate to a different view. Option B is wrong because 'Link to external resource' creates a static URL that opens an external website, not a Splunk search; it cannot dynamically pass row values to a new Splunk search. Option D is wrong because there is no `drilldown` search command in Splunk's Search Processing Language (SPL); drilldown behavior is configured in the dashboard XML or UI, not in the underlying search string.

42
MCQmedium

You are a Splunk analyst for a financial services firm. You need to create a weekly report for management showing the total transaction value and number of transactions per day, broken down by transaction type (credit, debit, transfer). The data is in index=transactions with fields: trans_date, trans_type, amount. The report should be sent via email every Monday morning at 8 AM. You have created a report with the search: `index=transactions | timechart sum(amount) by trans_type`. However, the timechart shows only one series because the trans_type field has multiple values. You need to fix the search so that it correctly separates by trans_type. Additionally, you need to schedule the report. What should you do?

A.Add `| stats sum(amount) by _time, trans_type` before timechart.
B.Use `| eval trans_type=split(trans_type, ",") | mvexpand trans_type | timechart sum(amount) by trans_type`.
C.Use `| chart sum(amount) by trans_type` instead of timechart.
D.Use `| makemv trans_type | timechart sum(amount) by trans_type`.
AnswerB

Handles multivalue fields.

Why this answer

Option B is correct because the trans_type field contains multiple values in a single field (e.g., 'credit,debit,transfer'), so you must first split the values using `split()` and then expand them with `mvexpand` before using `timechart` to correctly separate the series. This ensures each transaction type is treated as an individual event for the aggregation.

Exam trap

Splunk often tests the distinction between `makemv` (which works on space-delimited or newline-delimited multivalue fields) and `split`/`mvexpand` (which handles custom delimiters like commas), leading candidates to incorrectly choose `makemv` for comma-separated data.

How to eliminate wrong answers

Option A is wrong because `stats sum(amount) by _time, trans_type` would produce a table, not a timechart, and would not automatically bin events into time buckets; it also does not handle multivalue fields. Option C is wrong because `chart sum(amount) by trans_type` would create a single summary statistic across all time, losing the per-day breakdown required for the weekly report. Option D is wrong because `makemv` is used to split a multivalue field that is already delimited by spaces or newlines, not commas; it would not correctly parse comma-separated values, and it does not expand the events for timechart.

43
MCQhard

You are a Splunk administrator at a large e-commerce company. The operations team has created a real-time dashboard to monitor website performance. The dashboard includes multiple panels: a line chart showing page load times over the last 60 minutes, a single value showing the number of active users, and a table listing the top 10 slowest pages. The dashboard refreshes every 30 seconds. Recently, users have reported that the dashboard is very slow to load and sometimes times out. The underlying searches are not accelerated. The dashboard uses a shared time range picker set to 'Last 60 minutes'. The index for web logs receives about 2 GB of data per hour. The team wants to improve performance without losing real-time capability. Which approach best addresses the problem?

A.Reduce the time range to 'Last 15 minutes' and keep the 30-second refresh.
B.Increase the refresh interval to 5 minutes to reduce search frequency.
C.Implement summary indexing for the searches and run them every 5 minutes.
D.Remove the single value panel to reduce the number of searches.
AnswerA

Less data improves load time, still real-time.

Why this answer

Option A is correct because reducing the time range to 'Last 15 minutes' significantly decreases the volume of data each search must scan, which directly reduces search execution time and dashboard load time. Since the dashboard refreshes every 30 seconds, a shorter time range still provides near-real-time visibility while preventing timeouts. The underlying searches are not accelerated, so limiting the data scanned is the most effective immediate performance improvement.

Exam trap

The trap here is that candidates often choose to increase the refresh interval (Option B) thinking it reduces load, but the real bottleneck is the amount of data scanned per search, not the frequency of searches.

How to eliminate wrong answers

Option B is wrong because increasing the refresh interval to 5 minutes reduces search frequency but does not address the root cause of slow searches scanning 60 minutes of data; the dashboard would still be slow when it does refresh, and it loses real-time capability. Option C is wrong because summary indexing runs searches every 5 minutes, which introduces a 5-minute delay and breaks the real-time requirement; also, summary indexing requires additional storage and maintenance overhead. Option D is wrong because removing a single panel reduces the number of searches but does not address the volume of data scanned per search; the remaining panels would still scan the full 60-minute time range and remain slow.

44
MCQmedium

A team creates a dashboard that uses a drop-down input to select a server. The dashboard slows down significantly when the input changes. What is the most likely cause?

A.The input is based on a report that runs every hour
B.The input's search is not using a summary index or accelerated data
C.The token name is too long
D.The input's results are cached too aggressively
AnswerB

Unaccelerated search over large data causes slowness.

Why this answer

Option B is correct because a drop-down input that triggers a search each time the user selects a new value can cause significant performance degradation if the underlying search is not optimized. Using a summary index or accelerated data allows the dashboard to retrieve pre-computed results instead of running a full raw data search on every selection, reducing load on the search head and indexers.

Exam trap

Splunk often tests the misconception that performance issues are caused by token length or caching aggressiveness, when the real culprit is the lack of search optimization through summary indexes or acceleration.

How to eliminate wrong answers

Option A is wrong because a report that runs every hour would not directly cause slowdowns on input changes; the input's search is independent of the report's schedule. Option C is wrong because token name length has no impact on search performance; tokens are simply placeholders for values and do not affect query execution time. Option D is wrong because caching results aggressively would actually improve performance, not slow it down; the issue is likely that results are not being cached or accelerated.

45
MCQeasy

A dashboard includes a single value visualization showing the total number of login failures. The number seems too high. Which common mistake could cause inflated counts?

A.Using `count` instead of `sum` when each event holds multiple failures
B.Using `dedup` before counting
C.Splitting by user without combining
D.Setting a too narrow time range
AnswerA

Count counts events, not values.

Why this answer

Option A is correct because when a single event contains multiple login failures (e.g., a log line like 'Failed logins: 5'), using `count` merely counts the number of events, not the total failures. The `sum` command is required to aggregate the numeric field representing failures across events, giving the true total. This is a classic pitfall in Splunk where `count` (event count) is confused with `sum` (field value summation).

Exam trap

Splunk often tests the confusion between `count` (event count) and `sum` (field value sum) when a single event can represent multiple occurrences, leading candidates to mistakenly choose `count` as the correct aggregation method.

How to eliminate wrong answers

Option B is wrong because `dedup` removes duplicate events, which would actually decrease the count, not inflate it; it is used to eliminate redundancy, not to cause overcounting. Option C is wrong because splitting by user without combining (e.g., using `stats count by user`) would produce per-user counts, not an inflated total—the overall sum would remain accurate if aggregated correctly. Option D is wrong because a too narrow time range would reduce the number of events returned, leading to a lower count, not an inflated one.

46
MCQmedium

A user creates a dashboard with multiple panels. Some panels share the same search. To improve performance, what should the user do?

A.Use post-process searches without a base search
B.Create separate searches for each panel with same query
C.Increase the time range to include more data
D.Define a base search and use post-process for each panel
AnswerD

Eliminates duplicate searches.

Why this answer

Option D is correct because defining a base search and using post-process searches allows the dashboard to run the common search once and then apply different post-processing transformations on the same result set. This reduces the overall search load on the indexers and search head, improving performance by avoiding redundant data retrieval and aggregation for each panel.

Exam trap

Splunk often tests the misconception that post-process searches can function independently without a base search, leading candidates to incorrectly select option A, when in reality post-process searches are dependent on a pre-existing base search result.

How to eliminate wrong answers

Option A is wrong because post-process searches require a base search to operate on; without a base search, there is no initial result set to filter or transform, so the panels would have no data. Option B is wrong because creating separate searches for each panel with the same query duplicates the search workload, increasing resource consumption and degrading performance rather than improving it. Option C is wrong because increasing the time range to include more data would expand the search scope, making the search slower and more resource-intensive, which is counterproductive to improving performance.

47
Multi-Selectmedium

A dashboard designer wants to create a drilldown from one chart to another dashboard. Which TWO actions must be configured? (Select two.)

Select 2 answers
A.Add a search command to the chart
B.Set the source chart's drilldown to 'link to search'
C.Enable dashboard permissions
D.Set the target dashboard's token to accept the drilldown value
E.Set the chart's drilldown action to 'link to dashboard'
AnswersD, E

Required to pass the clicked value to the target dashboard.

Why this answer

Options A and B are correct. The chart must have drilldown set to 'link to dashboard' (A), and the target dashboard must accept a token from the drilldown (B). Option C is not required for drilldown.

Option D is incorrect because drilldown is a chart property, not a search command. Option E is incorrect because 'link to search' is a different drilldown type that opens a search.

48
MCQeasy

An administrator needs to share a report with executives who prefer to see data in a tabular format with sorting capabilities. Which reporting method is best?

A.Dashboard panel
B.Gauges
C.Table
D.Pie chart
AnswerC

Tables display data in rows and columns with sorting.

Why this answer

Option C is correct because a Table visualization in Splunk provides a tabular format with built-in sorting capabilities (clickable column headers), which directly meets the executives' requirement for viewing data in a structured, sortable table. Unlike other visualizations, the Table report type preserves raw event data in rows and columns, allowing users to reorder results by any field without additional configuration.

Exam trap

The trap here is that candidates may confuse a Dashboard panel (which can contain a table) with the Table reporting method itself, or assume that a Pie chart or Gauge can be configured to display tabular data, when in fact only the Table visualization provides row-level sorting and a grid layout.

How to eliminate wrong answers

Option A is wrong because a Dashboard panel is a container for visualizations, not a specific reporting method; it can host tables, charts, or gauges, but does not inherently provide a tabular format with sorting. Option B is wrong because Gauges display a single metric value (e.g., a number on a dial or radial scale) and lack both tabular structure and row-level sorting capabilities. Option D is wrong because a Pie chart is a categorical visualization that shows proportional slices of a whole, with no support for tabular data or sorting by multiple fields.

49
Matchingmedium

Match each lookup type to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Stores lookup data in a CSV file

Stores lookup data in a key-value store collection

Runs an external script to perform lookup

Matches coordinates to geographic regions

Why these pairings

Lookups enrich events with external data.

50
MCQmedium

A dashboard has a radio button input that selects a sourcetype. The panel uses `index=web sourcetype=$source$`. However, when the user selects a sourcetype, the panel doesn't update. What is the most likely cause?

A.The token name in the search is `$source$` but the input token is named `sourcetype`.
B.The search includes a `stats` command that ignores the token.
C.The panel is a single value panel that does not update dynamically.
D.The time range is too short and returns no events.
AnswerA

Token names must match between input and search reference.

Why this answer

The dashboard panel does not update because the token referenced in the search string (`$source$`) does not match the name of the radio button input. In Splunk, a dashboard input creates a token with the name specified in its `token` attribute. If the input's token is named `sourcetype`, the search must use `$sourcetype$` to reference its value.

Using `$source$` means the search looks for a token that does not exist, so no substitution occurs and the panel remains static.

Exam trap

Splunk often tests the exact token naming mismatch between the input's `token` attribute and the `$token_name$` used in the search, tricking candidates into blaming panel types or search commands instead.

How to eliminate wrong answers

Option B is wrong because the `stats` command does not ignore tokens; tokens are resolved at search parse time, before any commands execute, so a `stats` command would still receive the substituted value. Option C is wrong because single value panels do update dynamically when their underlying search changes; the panel type does not prevent token-driven updates. Option D is wrong because the time range being too short would simply return no results, but the panel would still attempt to run the search and update (showing 'No results'), not remain unchanged.

51
MCQhard

A Splunk administrator needs to create a dashboard that displays a summary of sales data from multiple regions. Each region's data is in a separate index. The dashboard should allow users to select a region from a dropdown and see the sales data for that region. Which type of dashboard input should be used?

A.A text input field where users type the region name
B.A radio button group with predefined regions
C.A dropdown input that populates from a search returning the list of regions
D.A checkbox list with multiple regions
AnswerC

Dynamic, user-friendly, and scalable, allowing single selection from a list.

Why this answer

Option C is correct because a dropdown input that populates from a search dynamically retrieves the list of region names from the data, ensuring the dashboard always reflects the actual indices available. This approach is scalable and reduces manual maintenance, as the dropdown options are generated by a Splunk search (e.g., `| eventcount summarize=false index=* | dedup index | table index`), making it ideal for a multi-index scenario where regions may change over time.

Exam trap

The trap here is that candidates may choose a static input (like a radio button or text field) because they overlook the need for dynamic data-driven options, or they may select a checkbox list thinking it allows single selection, but Splunk's checkbox input inherently permits multiple selections unless explicitly constrained by JavaScript or custom logic.

How to eliminate wrong answers

Option A is wrong because a text input field requires users to manually type the exact region name, which is error-prone and inefficient; it also lacks validation against the actual index names, potentially leading to failed searches. Option B is wrong because a radio button group with predefined regions is static and cannot adapt to changes in the data or indices; it would require manual updates to the dashboard whenever a region is added or removed. Option D is wrong because a checkbox list allows multiple selections, which contradicts the requirement for a single region selection; it would also need to be populated statically or via a search, but the multi-select behavior is not appropriate for a summary view of one region at a time.

52
Multi-Selecteasy

Which TWO chart types are best suited for showing the distribution of categorical data?

Select 2 answers
A.Scatter chart
B.Line chart
C.Area chart
D.Pie chart
E.Column chart
AnswersD, E

Good for categorical distribution.

Why this answer

Pie charts and column charts are both effective for displaying the distribution of categorical data because they visually compare parts of a whole or the frequency of distinct categories. In Splunk, the `pie` and `column` chart types are commonly used with the `chart` or `timechart` commands to aggregate event counts or statistical values by a categorical field, making it easy to see relative proportions or rankings.

Exam trap

Splunk often tests the misconception that line charts are suitable for any data with a time field, but they are only appropriate when the x-axis represents a continuous time series, not categorical labels.

53
Multi-Selecteasy

Which TWO options are valid methods to add a visualization to a dashboard?

Select 2 answers
A.Save a search as a dashboard panel
B.Use the Dashboard Studio editor
C.Drag a chart from the search page
D.Append the chart command to the search
E.Use the export to PDF feature
AnswersA, B

When saving a search, you can choose to add it to a dashboard as a panel.

Why this answer

Option A is correct because saving a search as a dashboard panel directly creates a visualization on a dashboard. When you run a search that produces a chart or table, the 'Save As' menu includes an option to save it as a dashboard panel, which automatically adds the visualization to an existing or new dashboard.

Exam trap

Splunk often tests the distinction between methods that add visualizations to dashboards versus methods that export or transform data, so candidates may confuse the 'chart' command or export features with dashboard creation methods.

54
MCQeasy

Which visualization type is best suited to show the proportion of errors by category (e.g., HTTP 404, 500, 403) as parts of a whole?

A.Single value
B.Column chart
C.Scatter plot
D.Pie chart
AnswerD

Pie charts effectively display parts of a whole.

Why this answer

A pie chart is the correct choice because it is specifically designed to display the proportional distribution of categorical data as parts of a whole. In Splunk, the `pie` visualization type visually represents the relative size of each error category (e.g., HTTP 404, 500, 403) as slices of a circle, making it immediately clear which category accounts for the largest share of errors.

Exam trap

The trap here is that candidates often choose a Column chart (Option B) because they think of comparing error counts, but the question specifically asks for 'parts of a whole' — a pie chart is the only visualization that inherently shows proportional share, not absolute comparison.

How to eliminate wrong answers

Option A is wrong because a Single Value visualization shows only one aggregated number (e.g., total error count) and cannot display multiple categories or their proportions. Option B is wrong because a Column chart is best for comparing values across categories over time or groups, not for showing parts of a whole; it emphasizes magnitude differences rather than proportional share. Option C is wrong because a Scatter plot is used to visualize the relationship between two numerical variables (e.g., error count vs. response time) and is not suitable for showing categorical proportions.

55
MCQmedium

An analyst created a report that runs a search over the last 7 days. The report is scheduled to run daily. Each time the report runs, it takes a long time and impacts other searches. What is the best way to improve performance without changing the data model?

A.Change the schedule to run weekly instead of daily.
B.Change the time range to 'Last 24 hours' to reduce data scanned.
C.Enable report acceleration on the report.
D.Create a summary index and populate it with a separate scheduled search.
AnswerC

Report acceleration pre-computes and caches results, speeding up subsequent runs.

Why this answer

Option C is correct because report acceleration pre-computes and stores the results of a report's search in a summary cache, allowing subsequent runs to retrieve the cached data instead of re-executing the full search over the raw data. This drastically reduces runtime and resource consumption without altering the underlying data model or the report's logic.

Exam trap

The trap here is that candidates often confuse report acceleration with summary indexing (Option D) and assume the latter is the only way to pre-compute results, or they incorrectly think changing the time range (Option B) is a performance fix without realizing it alters the report's data scope.

How to eliminate wrong answers

Option A is wrong because running the report weekly instead of daily only reduces the frequency of the performance impact, but does not address the root cause of the long-running search each time it executes. Option B is wrong because changing the time range to 'Last 24 hours' would alter the report's data scope and potentially break the requirement to analyze the last 7 days, which is a change to the data model's query parameters. Option D is wrong because creating a summary index and populating it with a separate scheduled search is a valid optimization technique, but it requires additional administrative overhead and changes to the data pipeline, whereas report acceleration provides a simpler, built-in solution that directly caches the report's results without manual index management.

56
MCQhard

A SOC manager creates a dashboard with multiple time-range pickers (one global, one per panel). The global picker is set to 'Last 7 days' but one panel uses its own picker set to 'Last 24 hours'. When the dashboard loads, which time range will the panel use?

A.The dashboard default of 'Last 24 hours'
B.A combination of both: the last 7 days but limited to 24 hours
C.The global picker setting of 'Last 7 days'
D.The panel's own picker setting of 'Last 24 hours'
AnswerD

Panel-specific settings take precedence over global.

Why this answer

Option D is correct because a panel-specific time picker overrides the global picker. Option A is wrong because the panel picker is not ignored; it has higher precedence. Option B is wrong because the global picker does not override; the panel picker takes precedence.

Option C is wrong because the panel does not combine both; it uses its own.

57
Multi-Selecthard

Which THREE of the following are valid considerations when scheduling a report for PDF delivery via email? (Choose three.)

Select 3 answers
A.The report can be sent as a PDF attachment or as a link to the report in Splunk.
B.The report can include HTML-embedded CSV data directly in the email body.
C.The email server must be configured to allow inbound SMTP from Splunk.
D.If the report contains sensitive data, the PDF may still contain the data even if the user cannot access the report due to app-level permissions.
E.The recipient must have at least read permissions on the report to view it in Splunk.
AnswersA, D, E

Both delivery options are available.

Why this answer

Option A is correct because when scheduling a report for PDF delivery via email, Splunk allows you to choose between sending the report as a PDF attachment or as a link to the report within Splunk. This is a configurable option in the schedule's email settings, providing flexibility for recipients who may prefer direct access to the live report in Splunk versus a static PDF file.

Exam trap

The trap here is that candidates often confuse the direction of SMTP traffic (inbound vs. outbound) and assume Splunk needs to receive email, when in fact Splunk only sends email via outbound SMTP.

58
MCQeasy

A user creates a report that summarizes error codes by frequency. They want to share it with the team so others can view but not edit. Which permission should the user set on the report?

A.The 'edit' permission for the team
B.The 'share' permission for the team
C.The 'write' permission for the team
D.The 'read' permission for the team
AnswerD

Read permission allows viewing without editing.

Why this answer

The 'read' permission (Option D) is correct because it grants view-only access to the report, allowing team members to see the summarized error codes without the ability to modify or delete the report. In Splunk, permissions are managed via roles and object-level access control, where 'read' enables viewing but not editing, which aligns with the user's requirement to share the report for viewing only.

Exam trap

The trap here is that candidates often confuse the 'share' permission with the ability to let others view the report, but 'share' in Splunk refers to the capability to share objects with others, not the permission that controls viewing access on the object itself.

How to eliminate wrong answers

Option A is wrong because the 'edit' permission would allow team members to modify the report, which contradicts the requirement that others can view but not edit. Option B is wrong because 'share' permission is not a standard Splunk object-level permission; sharing is a capability that controls whether a user can share objects, not a permission set on the report itself. Option C is wrong because 'write' permission in Splunk is synonymous with edit access, enabling users to modify or delete the report, which is not desired.

59
MCQeasy

A junior analyst creates a dashboard to monitor server CPU usage. The dashboard contains a single panel with a line chart showing CPU percentage over the last 24 hours. The analyst then adds a second panel that displays the same data but as a single value showing the average CPU. Both panels use the exact same search string. The dashboard loads slowly, and users complain of wait times. The analyst wants to improve performance without changing the displayed data. Which course of action is best?

A.Keep both panels but add more resources to the Splunk server
B.Convert the dashboard to use a base search and post-process the panels
C.Remove the single value panel and embed its value in the line chart title
D.Enable report acceleration on one of the panels
AnswerB

Base search runs once and both panels use post-process, reducing load.

Why this answer

Option B is correct because using a base search with post-process searches allows both panels to share a single dataset, reducing redundant search execution. Instead of running the same heavy search twice, the base search runs once, and each panel applies lightweight post-processing (e.g., timechart vs. stats) on the cached results. This directly addresses the slow load time without altering the displayed data.

Exam trap

The trap here is that candidates often confuse post-processing with report acceleration or think that removing a panel is the only way to improve performance, but Splunk's base search feature is the designed solution for sharing search results across panels without data loss.

How to eliminate wrong answers

Option A is wrong because adding more resources to the Splunk server does not fix the root cause—duplicate search execution—and is an inefficient, costly workaround. Option C is wrong because embedding the average in the line chart title changes the displayed data (removing the single value panel) and may not meet the requirement to keep the same data presentation. Option D is wrong because report acceleration is designed for scheduled reports or summary indexing, not for real-time dashboard panels; it would not reduce the load time for the current 24-hour search and could introduce stale data.

60
MCQhard

Refer to the exhibit. A user runs this search in Splunk to create a timechart of web server status codes. The resulting chart shows no data for the "error" status. What is the most likely cause?

A.The 'status' field is not extracted from the sourcetype.
B.The eval command after timechart does not affect the timechart series; the timechart already split by original status values.
C.The stats command after eval removes the status field.
D.The web server is not generating any errors.
AnswerB

Correct. The timechart creates series based on the status field at that point; later eval does not change the series.

Why this answer

The search redefines the 'status' field after the timechart command, but timechart already uses the original status values to create separate series. The eval command overwrites the field, but the timechart series are already fixed. To fix, the eval should be placed before timechart.

61
MCQeasy

A user created a report that runs every hour. They notice the report's results include data from the previous hour only, but they want data from the last 24 hours. What should they change in the search?

A.Increase the report scheduling frequency
B.Add | timechart span=1h
C.Change the time range to Last 24 hours
D.Use | stats count by date_hour
AnswerC

This expands the search window to include 24 hours of data.

Why this answer

Option C is correct because the report's search is currently using a relative time range (e.g., Last hour) that limits results to the previous hour. Changing the time range to 'Last 24 hours' expands the search window to include all events from the past 24 hours, ensuring the report returns the desired data. The scheduling frequency controls when the search runs, not the span of data it retrieves.

Exam trap

The trap here is that candidates confuse scheduling frequency (how often the search runs) with the time range (the window of data the search examines), leading them to incorrectly choose Option A.

How to eliminate wrong answers

Option A is wrong because increasing the scheduling frequency (e.g., running every 30 minutes) does not change the time range of the search; it only makes the report run more often, still returning only the previous hour's data each time. Option B is wrong because | timechart span=1h groups results into 1-hour buckets but does not extend the time range; it would still only show data from the current time range (e.g., last hour) as a single bucket. Option D is wrong because | stats count by date_hour counts events per hour but does not change the search's time range; it would only count events within the existing 1-hour window, not the last 24 hours.

62
MCQmedium

A large organization's security team has a dashboard that displays the top 10 source IPs by number of failed login attempts. The dashboard uses a search: index=security sourcetype=login action=failure | top limit=10 src_ip. Lately, the dashboard shows incorrect data (e.g., IPs that are not actually top). However, when the same search is run in the Search app, it shows correct results. The dashboard is scheduled to refresh every 10 minutes. What is the most likely cause?

A.The dashboard's time range is different from the manual search
B.The dashboard is using a real-time search that causes data inconsistency
C.The dashboard uses a summary index with stale data
D.The user has incorrect field permissions
AnswerC

Summary indexes may not be as up-to-date, causing stale data in scheduled dashboard refreshes.

Why this answer

Option C is correct because the dashboard is likely configured to use a summary index that is populated by a scheduled search. If the summary index is not updated frequently enough or contains stale data, the dashboard will display incorrect results even though the live search in the Search app returns accurate data. The 10-minute refresh interval does not repopulate the summary index; it only re-queries the already stale summary data.

Exam trap

The trap here is that candidates assume the dashboard refresh interval controls the underlying data freshness, but in reality, the summary index is populated independently by a separate scheduled search, and the dashboard only re-queries the summary index, not the original data.

How to eliminate wrong answers

Option A is wrong because if the dashboard's time range were different, the results would consistently differ from the manual search, not just appear incorrect; the manual search would also show different results if run with the same time range. Option B is wrong because real-time searches would show the most current data, not stale or incorrect data, and the dashboard is scheduled to refresh every 10 minutes, not using a real-time search. Option D is wrong because field permissions would prevent the field from being displayed or cause errors, not show incorrect IP counts; the dashboard is displaying data, just the wrong IPs.

63
MCQeasy

Refer to the exhibit. The user wants to display the count over time for each source. However, the chart shows only one line labeled 'MyCount'. What is the problem?

A.The index name is misspelled.
B.The `timechart` command should not have `by source`.
C.The `rename` command after `timechart` renames incorrectly; `timechart count by source` creates multiple fields, and `rename count as "MyCount"` does not rename them.
D.The chart type is line chart by default.
AnswerC

The `rename` command should use a pattern like `rename * as "*"` or rename each series individually.

Why this answer

Option C is correct because `timechart count by source` generates separate fields for each source value (e.g., `count: source1`, `count: source2`), not a single field named `count`. The subsequent `rename count as "MyCount"` fails to match any existing field, so the chart displays only one line labeled `MyCount` (which is actually a null or default aggregation). To rename all source-specific count fields, you must use a wildcard or rename each field individually.

Exam trap

Splunk often tests the nuance that `timechart count by source` creates multiple fields with names like `count: source_value`, and candidates mistakenly think `rename count as "MyCount"` will rename all of them, leading them to overlook the correct answer.

How to eliminate wrong answers

Option A is wrong because a misspelled index name would return no results at all, not a single line labeled 'MyCount'. Option B is wrong because `timechart count by source` is syntactically valid and necessary to break down counts per source over time; removing `by source` would aggregate all sources into one count, which is not the user's intent. Option D is wrong because the chart type (line chart) is not the issue; the problem is the field naming after `timechart`, not the visualization type.

64
MCQmedium

A user wants to create a report that shows the top 5 most frequent error messages from the last 7 days. The search results should be sorted by count. Which search is correct?

A.error | top 5 message
B.error | rare message | head 5
C.error | stats count by message | sort -count
D.error | top limit=5 message
AnswerD

Correctly uses top to get top 5.

Why this answer

Option D is correct because the `top` command automatically counts the occurrences of each distinct value of the `message` field, sorts the results in descending order by count, and limits the output to the top 5 results. This directly fulfills the requirement of showing the top 5 most frequent error messages from the last 7 days, sorted by count.

Exam trap

Splunk often tests the exact syntax of the `top` command, where candidates confuse the order of arguments (e.g., `top 5 message` vs `top message limit=5`) or mistakenly use `rare` or `head` to achieve the opposite result.

How to eliminate wrong answers

Option A is wrong because `top 5 message` is invalid syntax; the `top` command requires the field name first (e.g., `top message limit=5`) and does not accept a numeric argument before the field. Option B is wrong because `rare` returns the least frequent values, not the most frequent, and `head 5` would only return the first 5 results of that reversed order, which is the opposite of what is needed. Option C is wrong because while `stats count by message | sort -count` correctly counts and sorts, it does not limit the results to 5; it returns all error messages, which is not the requested top 5.

65
Multi-Selecthard

Which TWO actions increase the performance of a dashboard in Splunk? (Choose two.)

Select 2 answers
A.Use scheduled reports as base searches
B.Add a large number of drilldowns
C.Use real-time searches
D.Use the tstats command on accelerated data models
E.Add multiple time range pickers to the dashboard
AnswersA, D

Scheduled reports cache results, reducing search load on dashboard load.

Why this answer

Option A is correct because scheduled reports as base searches pre-compute and cache results, reducing the real-time query load on the indexers when the dashboard loads. This shifts expensive computation to off-peak times, improving dashboard rendering speed.

Exam trap

Splunk often tests the misconception that real-time searches are always better for dashboards, but in Splunk, real-time searches are resource-intensive and degrade performance, whereas scheduled reports and accelerated data models are the recommended optimization techniques.

66
MCQmedium

A security analyst has created a report that shows the count of failed login attempts by user. The analyst now wants to display this data as a column chart on a dashboard. Which Splunk feature should be used to convert the report into a visualization?

A.Schedule the report to run and then export the results as a PDF.
B.Use the 'Save As Dashboard Panel' option on the report.
C.Convert the report to an alert and then add it to the dashboard.
D.Copy the report's search string and paste it into a new dashboard panel.
AnswerB

This option directly creates a visualization panel on a dashboard from the report.

Why this answer

The 'Save As Dashboard Panel' option on a report directly converts the report's search and visualization settings into a dashboard panel, preserving the column chart configuration. This is the intended workflow in Splunk for turning a saved report into a reusable dashboard visualization without manual reconfiguration.

Exam trap

Splunk often tests the misconception that copying a search string is equivalent to using the report's visualization settings, but Splunk requires the panel to reference the report's saved search ID to inherit chart properties.

How to eliminate wrong answers

Option A is wrong because scheduling a report and exporting as PDF creates a static file, not an interactive dashboard visualization; it does not embed the chart into a live dashboard. Option C is wrong because converting a report to an alert triggers actions based on conditions, not a visualization; alerts are for notifications, not for displaying column charts on dashboards. Option D is wrong because copying the search string into a new dashboard panel requires manually re-creating the visualization settings (e.g., chart type, formatting), which is inefficient and error-prone compared to using the built-in conversion feature.

67
MCQhard

Refer to the exhibit. The search is expected to produce a count of HTTP status codes grouped into categories. However, the results show a column 'status' instead of 'status_category'. What is the problem?

A.The first 'stats count by status' is unnecessary; the eval should be applied first, then stats.
B.The eval command references a field 'status' that does not exist after the first stats.
C.The second stats command should be 'stats count by status'.
D.The eval command should use 'if' instead of 'case'.
AnswerA

Applying stats before eval loses the original status values for categorization, resulting in incorrect grouping.

Why this answer

Option A is correct because the search pipeline first uses `stats count by status`, which consumes the raw `status` field and outputs only the `status` and `count` fields. The subsequent `eval` command then tries to create `status_category` from `status`, but `status` still exists after the first `stats` (it is the group-by field). The real issue is that the `eval` should be placed before the first `stats` so that the categorization happens on the raw `status` values, and then `stats count by status_category` can aggregate by the new field.

The first `stats` is unnecessary and disrupts the intended flow.

Exam trap

Splunk often tests the order-of-operations pitfall where candidates assume `eval` can create a new field from a field that exists before `stats`, forgetting that `stats` transforms the data structure and only retains specified fields.

How to eliminate wrong answers

Option B is wrong because the `status` field does exist after the first `stats`; it is retained as the group-by field in the stats output. Option C is wrong because changing the second `stats` to `count by status` would still not create a `status_category` field; the `eval` would still be applied after the first `stats`, and the result would still show `status` instead of `status_category`. Option D is wrong because the `case` function is perfectly valid for mapping multiple status codes to categories; using `if` would require nested conditions and is less efficient, but the core problem is the order of operations, not the choice of conditional function.

68
MCQmedium

You are a Splunk administrator for a large e-commerce company. The marketing team has a dashboard that displays daily sales metrics, including revenue, number of transactions, and average order value. The dashboard is built using a single search that runs a 'timechart' command across all events. Recently, the dashboard has been timing out and failing to load during peak hours (10 AM - 2 PM) when traffic is highest. The team needs the dashboard to be available with minimal latency. You have the following options: A. Reduce the time range on the dashboard to the last hour instead of the default last 24 hours. B. Create a summary index that pre-aggregates the sales metrics every hour and modify the dashboard to search this summary index. C. Increase the search time limit in the Splunk settings to allow the search to run longer. D. Split the single search into multiple smaller searches, each for a different metric, and run them concurrently on separate panels. Which option best addresses the performance issue while maintaining data accuracy?

A.Split the single search into multiple smaller searches.
B.Reduce the time range on the dashboard to the last hour.
C.Create a summary index that pre-aggregates the sales metrics every hour and modify the dashboard to search this summary index.
D.Increase the search time limit in Splunk settings.
AnswerC

This reduces the data volume to search, improving performance without losing accuracy.

Why this answer

Option C is correct because creating a summary index that pre-aggregates sales metrics every hour offloads the heavy computation from real-time searches. The dashboard then queries this smaller, pre-computed dataset, drastically reducing search time and avoiding timeouts during peak hours, while maintaining data accuracy since the aggregation is done on the raw data.

Exam trap

The trap here is that candidates often choose splitting the search (Option B) thinking it improves parallelism, but Splunk's architecture means multiple concurrent searches on the same data can increase I/O and CPU contention, whereas summary indexing directly reduces the data volume scanned.

How to eliminate wrong answers

Option A is wrong because reducing the time range to the last hour only shifts the problem—it does not address the root cause of high query load during peak traffic, and the team needs the full 24-hour view for daily metrics. Option B is wrong because splitting the single search into multiple smaller searches increases the number of concurrent searches, which can actually worsen performance by consuming more system resources and potentially causing additional contention. Option D is wrong because increasing the search time limit merely allows the slow search to run longer without fixing the underlying performance bottleneck; it does not reduce the computational load and may lead to resource exhaustion.

69
MCQeasy

A user wants to add a drilldown to a dashboard panel so that clicking a value opens a related search in a new tab. Which Simple XML attribute is used?

A.link
B.target
C.drilldown
D.href
AnswerC

The 'drilldown' attribute enables click actions, often set to 'row' or 'cell'.

Why this answer

In Simple XML, the `drilldown` attribute is used to enable or disable click interactions on dashboard panels. When set to `drilldown`, clicking a value triggers a drilldown action, which by default opens a related search in the same tab. To open the search in a new tab, you must combine `drilldown` with the `target` attribute set to `_blank`.

The `drilldown` attribute itself is the correct answer because it is the primary attribute that enables the drilldown behavior.

Exam trap

Splunk often tests the distinction between the attribute that enables drilldown (`drilldown`) and the attribute that controls where the result opens (`target`), leading candidates to mistakenly choose `target` as the answer.

How to eliminate wrong answers

Option A is wrong because `link` is not a valid Simple XML attribute for drilldown; it is used in HTML for hyperlinks but not in Splunk dashboard XML. Option B is wrong because `target` is a separate attribute that specifies where to open the drilldown result (e.g., `_blank` for a new tab), but it does not enable drilldown by itself; it must be used alongside `drilldown`. Option D is wrong because `href` is an HTML attribute for specifying a URL in an anchor tag, not a Simple XML attribute for drilldown behavior.

70
MCQmedium

A dashboard includes a pie chart showing the distribution of error types. The data comes from a search that uses `top` command. The pie chart is showing a slice labeled 'Other' that is very large. What is the most likely cause?

A.The `top` command is using `limit=0` which shows all values.
B.The search uses `rare` instead of `top`.
C.The pie chart has a maximum number of slices set to 5.
D.The `top` command default limit is 10, grouping remaining into 'Other'.
AnswerD

Default `top` shows top 10; the rest are grouped into 'Other', causing a large slice.

Why this answer

The `top` command in Splunk by default returns the top 10 most common values and groups all remaining values into an 'Other' category. If the pie chart shows a very large 'Other' slice, it indicates that the default limit of 10 is too low for the dataset, causing many distinct error types to be lumped together. Option D correctly identifies this default behavior as the most likely cause.

Exam trap

Splunk often tests the default behavior of the `top` command, specifically that it groups remaining values into 'Other' with a default limit of 10, and candidates may mistakenly think the chart's slice limit or other commands like `rare` are responsible.

How to eliminate wrong answers

Option A is wrong because `limit=0` with the `top` command does not show all values; instead, it returns all results without an 'Other' grouping, which would eliminate the 'Other' slice entirely. Option B is wrong because the `rare` command returns the least common values, not the most common, and would not produce a large 'Other' slice in a pie chart of error types. Option C is wrong because the pie chart's maximum number of slices setting would limit the number of visible slices, but the 'Other' slice is generated by the `top` command, not by the chart configuration; if the chart had a limit of 5, it would still show the top 5 values from the `top` command's output, not create an 'Other' slice.

71
MCQeasy

A user wants to create a bar chart showing the count of events by host for the last hour. Which command should be used?

A.`index=* | timechart count by host`
B.`index=* | top host`
C.`index=* | chart count by host`
D.`index=* | stats count by host`
AnswerD

This produces a table of hosts and their counts, suitable for a bar chart.

Why this answer

Option D is correct because `stats count by host` produces a table of hosts and their event counts, which can be directly visualized as a bar chart. The user wants a count of events by host for the last hour, and `stats` with a `by` clause is the appropriate transforming command to aggregate counts per host without time-series splitting.

Exam trap

Splunk often tests the distinction between `stats` and `timechart` — candidates mistakenly choose `timechart` because they think a bar chart requires a time axis, but the question asks for a count by host over the last hour, not a trend over time.

How to eliminate wrong answers

Option A is wrong because `timechart count by host` creates a time-series chart with a separate series for each host, not a single bar chart showing total counts per host over the entire hour. Option B is wrong because `top host` returns the most common hosts with their counts and percentages, but it limits the output to a default of 10 results and is designed for a different visualization (e.g., a table or pie chart), not a bar chart of all hosts. Option C is wrong because `chart count by host` is syntactically invalid; `chart` requires a split-by clause using `over` or `by` in a specific order (e.g., `chart count over host`), and the given syntax would produce an error or unexpected results.

72
Multi-Selecteasy

Which TWO options are valid ways to add a visualization to a dashboard using Splunk Web? (Choose two.)

Select 2 answers
A.Upload a CSV file directly as a new panel
B.Clone an existing panel and modify its search
C.Add a new panel and select a search from the saved searches list
D.Paste a URL of an external chart
E.Drag a visualization from the search results page onto the dashboard
AnswersB, C

Cloning is a valid way to duplicate and customize panels.

Why this answer

Option B is correct because cloning an existing panel in Splunk Web allows you to duplicate a panel along with its search, then modify the search to create a new visualization without starting from scratch. This is a standard workflow for reusing dashboard configurations efficiently.

Exam trap

The trap here is that candidates may think dragging a visualization from search results onto a dashboard is possible (option E) because of a common misconception about drag-and-drop functionality, but Splunk Web requires explicit panel addition via the dashboard editor or saved searches.

73
MCQeasy

A user wants to add a trend indicator to a single value visualization showing whether the count increased or decreased compared to the previous period. Which feature should be used?

A.Comparison
B.Trendline
C.Color coding
D.Sparkline
AnswerA

The Comparison feature in Single Value shows the change and trend arrow relative to a previous time period.

Why this answer

The Comparison feature in a single value visualization allows you to show a trend indicator (e.g., an up or down arrow) that compares the current value to a previous time period, such as the previous week or month. This directly answers the user's need to see whether the count increased or decreased compared to the previous period. It is configured in the 'Single Value' visualization options under 'Comparison' settings.

Exam trap

The trap here is that candidates often confuse the sparkline (which shows a trend over time) with the comparison feature (which shows a specific increase/decrease arrow), but the question explicitly asks for a 'trend indicator' comparing to a previous period, which is exactly what the Comparison feature provides.

How to eliminate wrong answers

Option B (Trendline) is wrong because a trendline is used in line or area charts to show the general direction of data over time, not to compare a single value to a previous period. Option C (Color coding) is wrong because color coding changes the color of the visualization based on thresholds or ranges, but it does not provide a directional indicator (up/down arrow) comparing to a previous period. Option D (Sparkline) is wrong because a sparkline is a small inline chart that shows the trend of data over time within a single value visualization, but it does not explicitly show a comparison arrow or percentage change to a previous period.

74
MCQhard

Refer to the exhibit. A security analyst runs this search to find top failed actions for admin accounts. The search returns no results, but there are failed actions for admin accounts in the data. What is the most likely cause?

A.The windows_security sourcetype does not contain a 'user' field.
B.The eval command uses match which is case-sensitive; the admin usernames may start with lowercase 'admin'.
C.The where clause should use 'search' instead.
D.The stats command should be before eval.
AnswerB

Correct. match is case-sensitive; use lower() or case-insensitive regex.

Why this answer

The where clause filters results after stats, but if the account_type eval does not match any user starting with 'Admin' (case-sensitive), then account_type will be 'user' for all, and the where condition fails. The match function is case-sensitive; users may start with 'admin' lowercase.

75
Multi-Selectmedium

Which three of the following are valid approaches for creating a dashboard in Splunk Web? (Choose three.)

Select 3 answers
.Convert an existing report into a dashboard panel.
.Create a new dashboard using the Dashboard Studio editor.
.Import a dashboard definition from a saved XML file.
.Generate a dashboard automatically from a search job's statistics tab.
.Clone a dashboard from the Settings > Knowledge menu.
.Use the REST API to create a dashboard from a CSV lookup file.

Why this answer

These three options are correct because Splunk Web provides direct, supported methods for creating dashboards. Converting an existing report into a dashboard panel is a standard workflow from the report's 'Edit' menu. The Dashboard Studio editor is the modern, built-in interface for creating dashboards from scratch.

Importing a dashboard definition from a saved XML file is supported via the 'Create New Dashboard' dialog, which allows you to upload a dashboard XML definition.

Exam trap

Splunk often tests the distinction between actions available in the UI versus those that require manual or programmatic steps; the trap here is that candidates might think the Statistics tab or Settings menu can create dashboards, but those features are not designed for that purpose.

Page 1 of 2 · 123 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Reports Dashboards questions.