Splunk splk-1001 practice test
Splunk Core Certified User Exam
Last exam update: Nov 08 ,2025
Page 1 out of 16. Viewing questions 1-15 out of 226
Question 1
What is the correct syntax to count the number of events containing a vendor_action field?
-
A.
count stats vendor_action
-
B.
count stats (vendor_action)
-
C.
stats count (vendor_action)
-
D.
stats vendor_action (count)
Question 2
By default, which of the following fields would be listed in the fields sidebar under interesting Fields?
-
A.
host
-
B.
index
-
C.
source
-
D.
sourcetype
Question 3
When looking at a dashboard panel that is based on a report, which of the following is true?
-
A.
You can modify the search string in the panel, and you can change and configure the visualization.
-
B.
You can modify the search string in the panel, but you cannot change and configure the visualization.
-
C.
You cannot modify the search string in the panel, but you can change and configure the visualization.
-
D.
You cannot modify the search string in the panel, and you cannot change and configure the visualization.
Question 4
Which of the following is a best practice when writing a search string?
-
A.
Include all formatting commands before any search terms
-
B.
Include at least one function as this is a search requirement
-
C.
Include the search terms at the beginning of the search string
-
D.
Avoid using formatting clauses as they add too much overhead
Question 5
What type of search can be saved as a report?
-
A.
Any search can be saved as a report
-
B.
Only searches that generate visualizations
-
C.
Only searches containing a transforming command
-
D.
Only searches that generate statistics or visualizations
Question 6
What can be included in the All Fields option in the sidebar?
-
A.
Dashboards
-
B.
Metadata only
-
C.
Non-interesting fields
-
D.
Field descriptions
Question 7
What syntax is used to link key/value pairs in search strings?
-
A.
action+purchase
-
B.
action=purchase
-
C.
action | purchase
-
D.
action equal purchase
Question 8
When viewing the results of a search, what is an Interesting Field?
-
A.
A field that appears in any event
-
B.
A field that appears in every event
-
C.
A field that appears in the top 10 events
-
D.
A field that appears in at least 20% of the events
Question 9
What syntax is used to link key/value pairs in search strings?
-
A.
Parentheses
-
B.
@ or # symbols
-
C.
Quotation marks
-
D.
Relational operators such as =, <, or >
Question 10
When a Splunk search generates calculated data that appears in the Statistics tab. in what formats
can the results be exported?
-
A.
CSV, JSON, PDF
-
B.
CSV, XML JSON
-
C.
Raw Events, XML, JSON
-
D.
Raw Events, CSV, XML, JSON
Question 11
Which of the following are functions of the stats command?
-
A.
count, sum, add
-
B.
count, sum, less
-
C.
sum, avg, values
-
D.
sum, values, table
Question 12
In a deployment with multiple indexes, what will happen when a search is run and an index is not
specified in the search string?
-
A.
No events will be returned.
-
B.
Splunk will prompt you to specify an index.
-
C.
All non-indexed events to which the user has access will be returned.
-
D.
Events from every index searched by default to which the user has access will be returned.
Question 13
Which search matches the events containing the terms "error" and "fail"?
-
A.
index=security Error Fail
-
B.
index=security error OR fail
-
C.
index=security “error failure”
-
D.
index=security NOT error NOT fail
Answer:
A
Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Search
Question 14
Which of the following is an option after clicking an item in search results?
-
A.
Saving the item to a report
-
B.
Adding the item to the search.
-
C.
Adding the item to a dashboard
-
D.
Saving the search to a JSON file.
Question 15
When placed early in a search, which command is most effective at reducing search execution time?
-
A.
dedup
-
B.
rename
-
C.
sort -
-
D.
fields +