Drag and drop the steps to troubleshoot a Splunk search that returns no results into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
SPLK-1002 · topic practice
Practise Splunk Core Certified User SPLK-1002 Troubleshooting practice questions — original exam-style scenarios with answer choices, explanations, and analysis of common mistakes.
Courseiva uses original exam-style practice questions designed for learning and revision. The goal is to understand the concepts, recognise exam patterns, and improve through explanations — not memorise copied exam dumps.
What the exam tests
Troubleshooting questions test whether you can apply the concept in context, not just recognise a definition.
How the topic appears in realistic exam-style scenarios.
Which detail in the question changes the correct answer.
How to eliminate plausible but wrong options.
How to connect the question back to the wider exam objective.
Watch out for
Practice set
7 questions · select your answer, then reveal the explanation
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Trap 1: Rebuild the data model acceleration.
Rebuilding acceleration may not fix field population issues.
Trap 2: Increase the acceleration time range.
Acceleration time range affects data retention, not field population.
Trap 3: Check the field extractions in transforms.conf.
Field extractions are important but not the most effective first step.
Use the `| datamodel <model> search` command to preview data and identify missing fields.
This command shows raw data and field values, helping to pinpoint missing fields.
Rebuild the data model acceleration.
Why wrong: Rebuilding acceleration may not fix field population issues.
Increase the acceleration time range.
Why wrong: Acceleration time range affects data retention, not field population.
Check the field extractions in transforms.conf.
Why wrong: Field extractions are important but not the most effective first step.
Trap 1: Too many fields in the data model can cause acceleration to fail.
Many fields may reduce performance but do not cause failure.
Trap 2: The data model must be based on a real-time search to be…
Acceleration works on historical time ranges, not only real-time.
The summary index must be writable and have enough disk space.
Acceleration writes summaries to a summary index; it must be writable.
Too many fields in the data model can cause acceleration to fail.
Why wrong: Many fields may reduce performance but do not cause failure.
The data model must be based on a real-time search to be accelerated.
Why wrong: Acceleration works on historical time ranges, not only real-time.
Insufficient memory on the indexer for the summary build process.
Memory shortage can halt acceleration builds.
The base search for the data model must be efficient and not timeout.
A slow or timing out base search prevents acceleration from completing.
Trap 1: The acceleration summary for that data model has not been rebuilt…
Outdated summary would affect accuracy, not speed.
Trap 2: The report is using the data model incorrectly; it should use…
tstats is the recommended way to search accelerated data models.
Trap 3: The time range is too broad, causing the acceleration summary to…
Broad time range might be slower but not specifically due to field type.
The acceleration summary for that data model has not been rebuilt recently, causing outdated data.
Why wrong: Outdated summary would affect accuracy, not speed.
The report is using the data model incorrectly; it should use |datamodel instead of |tstats.
Why wrong: tstats is the recommended way to search accelerated data models.
The field used in the filter is not defined as a constraint field in the data model, so tstats cannot use acceleration for that filter.
Filtering on non-constraint fields forces full event search.
The time range is too broad, causing the acceleration summary to include too many events.
Why wrong: Broad time range might be slower but not specifically due to field type.
Trap 1: The lookup table must have exactly one row per unique time value
Multiple rows may have the same time value, but only one should match the event's time range for a proper match.
Trap 2: The lookup must be defined as an automatic lookup in props.conf
Automatic lookups are optional; you can use the lookup command in searches.
The lookup table must have exactly one row per unique time value
Why wrong: Multiple rows may have the same time value, but only one should match the event's time range for a proper match.
The lookup must be defined as an automatic lookup in props.conf
Why wrong: Automatic lookups are optional; you can use the lookup command in searches.
The lookup definition must specify the time format used in the time_field column
The time_format must match the format in the lookup file for correct parsing.
The event's timestamp (or a specified time field) must fall between the start_time and the end_time of a row
Time-based lookups match if the event time is within the row's time range.
The event must match at most one row in the lookup table for the given time range
If multiple rows match, the behavior is undefined; the lookup should be designed to yield a single match.
Trap 1: Add | stats count by src_ip, _time to the search
Adding _time increases the number of groups and slows down the search.
Trap 2: Add | fields src_ip before the stats command
Limiting fields can help, but the main bottleneck is scanning raw data; this provides minimal improvement.
Trap 3: | search action=block instead of placing action=block in the base…
This is a syntax change; it does not affect performance significantly.
Add | stats count by src_ip, _time to the search
Why wrong: Adding _time increases the number of groups and slows down the search.
Change to | tstats count from datamodel=firewall_dm where action=block by src_ip | where count > 1000
tstats uses the accelerated data model, drastically reducing the amount of data scanned.
Add | fields src_ip before the stats command
Why wrong: Limiting fields can help, but the main bottleneck is scanning raw data; this provides minimal improvement.
| search action=block instead of placing action=block in the base search
Why wrong: This is a syntax change; it does not affect performance significantly.
Trap 1: The user's default app is set incorrectly.
Incorrect: It's set to Search & Reporting.
Trap 2: The user has disabled the timeline in their preferences.
Incorrect: There is no such user preference.
Trap 3: The user's role does not have permission to view the timeline.
Incorrect: The timeline is not permission-based.
The user's default app is set incorrectly.
Why wrong: Incorrect: It's set to Search & Reporting.
The user has disabled the timeline in their preferences.
Why wrong: Incorrect: There is no such user preference.
The browser window is too small, causing panels to be hidden by the responsive interface.
Correct: Small windows hide side panels in Splunk Web.
The user's role does not have permission to view the timeline.
Why wrong: Incorrect: The timeline is not permission-based.
Free account
Create a free account to save your results and see which topics improve across sessions.
Focused Troubleshooting sessions
Every question in these sessions is drawn from the Troubleshooting domain — nothing else.
Related practice questions
Move into related areas when this topic feels solid.
Practise SPLK-1002 questions linked to Splunk Basics and Interface Navigation.
Practise SPLK-1002 questions linked to Basic Searching and Transforming Commands.
Practise SPLK-1002 questions linked to Using Fields and Lookups.
Practise SPLK-1002 questions linked to Creating Reports, Dashboards and Visualizations.
Practise SPLK-1002 questions linked to Data Models and Best Practices.
Practise SPLK-1002 questions linked to SPLK-1002 fundamentals.
Practise SPLK-1002 questions linked to SPLK-1002 scenario.
Practise SPLK-1002 questions linked to SPLK-1002 troubleshooting.
A free account saves results across sessions and highlights which topics need work.
Sign up free