Unlock hundreds more features
Save your Quiz to the Dashboard
View and Export Results
Use AI to Create Quizzes and Analyse Results

OR
Sign inSign in with Facebook
Sign inSign in with Google
Quizzes > Computers & IT

Splunk Core Certified User: Using Fields Quiz

Quick, free search commands quiz to check your skills. Instant results.

Editorial: Review CompletedCreated By: Carly WraegUpdated Aug 26, 2025
Difficulty: Moderate
2-5mins
Learning OutcomesCheat Sheet
Paper art quiz layout with laptop showing Splunk command prefixes default fields tweaks on sky blue background

This Splunk Core Certified User quiz helps you practice using fields, tune search commands, and review lookups and subsearches with focused questions. See strengths at a glance and what to study next. For related practice, try our cybersecurity certification practice quiz and the cloud practitioner quiz to broaden your fundamentals.

What is the default search mode in Splunk Web?
Fast
Normal
Verbose
Smart
Splunk Web defaults to Fast search mode, which optimizes search speed by limiting field discovery. Smart mode balances field discovery and performance, while Verbose discovers all possible fields. Normal is not a designated Splunk search mode.
Which default field holds the event timestamp in Splunk?
time
timestamp
event_time
_time
Splunk automatically populates the _time field with the event's timestamp for indexing and searching. Other fields like timestamp or event_time are not default. This default behavior ensures uniform time-based searches.
Which command lists or limits the fields returned in your search results?
stats
eventstats
table
fields
The fields command explicitly includes or excludes specified fields from the search results. Table formats fields into a table but does not limit underlying fields. Stats aggregates data rather than listing them.
Which prefix command filters events using a condition?
search
lookup
filter
where
The where command applies conditional expressions to include only matching events post-search. Search treats its arguments as a full Splunk search. Filter is not a valid prefix command.
Which command creates a time-based aggregation of events?
trendline
stats
chart
timechart
Timechart aggregates events across time intervals and plots a time series. Chart aggregates across specified dimensions without enforcing time bins. Stats is a general aggregation command.
Which command calculates the count of events?
stats count
eventcount
eval count
count
stats count returns the total number of events in the search pipeline. Eval can create new fields but does not count events by itself. There is no standalone count command.
Which wildcard matches any single character in Splunk searches?
?
*
#
+
In Splunk search syntax, the ? wildcard matches exactly one character. The * wildcard matches zero or more characters. + and # are not wildcards.
Which default field identifies the host from which events originate?
host
source
sourcetype
index
Splunk sets the host field to the origin machine or source of the data. Source and sourcetype describe the file path or data format, respectively. Index identifies the event store.
Which command renames fields in search results?
rename
eval
fieldalias
translate
The rename command changes field names in the output. fieldalias creates alternate names but does not replace the original field. Eval can calculate or transform values but not rename fields.
Which command extracts key-value pairs from raw text automatically?
kv
keyval
pair
extract
The kv command extracts structured key-value pairs from unstructured text. Extract is a general parser but kv is optimized for key=value patterns. keyval and pair are not valid commands.
How do you remove a field named response_time from display?
delete response_time
remove field=response_time
exclude field=response_time
fields - response_time
Using fields - response_time excludes that field from the output. Splunk's fields command supports inclusion or exclusion with + or -. Other syntaxes are invalid.
Which syntax denotes a subsearch in Splunk?
[ search ... ]
< search ... >
( search ... )
{ search ... }
Subsearches are enclosed in square brackets [ ] and are executed first, feeding results to the main search. Parentheses, braces, and angle brackets are not used for subsearches.
What is the default index when none is specified?
splunk_index
primary
default
main
When no index is defined, searches default to the main index. The default entry in indexes.conf names it main. There is no default index called primary or default.
Which stats function returns the sum of a numeric field?
aggregate sum(field)
stats sum(field)
stats total(field)
eval sum(field)
stats sum(field) computes the total sum of the specified numeric field. There is no total function in stats. Eval does transformations but not specialized aggregations. Stats Functions
Which argument sets the earliest time in a Splunk search?
begin
from
earliest
starttime
The earliest argument defines the start time boundary for searches. There are no parameters named starttime or from in Splunk. Understanding time modifiers is essential for precise time-range searches.
Which stats function returns the count of distinct values in a field?
stats uniq(field)
stats dc(field)
stats distinct(field)
stats unique(field)
The dc() function in stats returns the distinct count of values in the specified field. Splunk does not support uniq() or unique() as stats functions.
Which command calculates the average of a numeric field?
eventstats avg(field)
stats avg(field)
stats mean(field)
eval avg(field)
stats avg(field) computes the arithmetic average of the field across events. eventstats avg(field) appends the average value to each event rather than summarizing. There is no mean() function. Stats Functions
Which command merges two result sets based on a common field?
union
merge
combine
join
The join command merges search results on a matching field. Union and combine are not valid Splunk commands, and merge is not used for field-based joins.
What does the rex command do in Splunk searches?
Searches external data
Evaluates mathematical expressions
Renders charts
Extracts fields using regular expressions
rex uses regular expressions to extract named fields from _raw text. It does not evaluate math or render visualizations. Understanding rex is key for advanced field extraction.
Which command would you use to enrich events with external lookup data?
append
lookup
collect
inputlookup
lookup enriches events by matching fields against an external CSV or KV store lookup table. inputlookup simply reads the entire lookup table. collect writes events to an index.
Which command sorts search results by a specified field?
order
sort
arrange
rank
The sort command orders events by the specified field in ascending or descending order. There is no order or arrange command in Splunk. rank provides ranking but not full sorting.
Which eval function transforms text to uppercase?
capitalize(field)
uppercase(field)
touppercase(field)
upper(field)
eval upper(field) returns the uppercase version of a string field. There are no functions named touppercase or uppercase. capitalize only affects the first character. Eval Functions
How do you remove events where the status field is null?
search status!=null
where isnotnull(status)
filter status=*
where status!=null
where isnotnull(status) filters out events with null or missing status. Using !=null is not valid syntax. filter is not a Splunk command.
What is the default result limit for a subsearch?
10,000
5,000
1,000
100,000
Subsearches return up to 10,000 results by default. This limit prevents performance issues. You can adjust maxout and maxsearches in limits.conf.
Which props.conf setting controls automatic key-value extraction?
KV_AUTO
EXTRACT_KV
KV_MODE
AUTO_KV
KV_MODE in props.conf enables or disables automatic key-value field extraction. Other names are not recognized by Splunk. Correct configuration is required for inline field extraction.
Which command groups results by multiple fields?
table field1, field2
groupby field1, field2
chart count over field1, field2
stats count by field1, field2
stats count by field1, field2 aggregates event counts grouped by both fields. chart does aggregations but does not use 'over' syntax. There is no groupby command.
What does the eventstats command do?
Extracts timestamp fields
Filters events
Calculates statistics and adds them to each event
Creates summary indexes
eventstats computes statistics like stats but retains all events and adds fields to them. It does not create summary indexes or extract timestamps.
Which command reads an existing lookup table into search results?
lookup
inputlookup
readlookup
outputlookup
inputlookup returns all rows from a lookup table as events. lookup enriches existing events. outputlookup writes results to a lookup. readlookup is not a Splunk command.
Which command displays only the first N events?
first N
head N
limit N
top N
head N returns the first N results from the pipeline. top N returns the most frequent values of a field. There are no limit or first commands.
Which mode does rex use to perform sed-style substitutions?
sub=sed
mode=sed
type=sed
mode=replace
rex mode=sed applies sed-style regex substitutions on _raw text. You must specify mode=sed explicitly. Other parameters are invalid.
Which regex in rex extracts an IPv4 address into a field named client_ip?
rex client_ip=_raw "(?P\d+\.\d+\.\d+\.\d+)"
rex field=_raw "(?\d{1,3}(?:\.\d{1,3}){3})"
rex field=client_ip "\d{1,3}(\.\d{1,3}){3}"
rex field=_raw "client_ip=(?\d+\.\d+\.\d+\.\d+)"
The syntax (?...) names the capture group, and the non-capturing group (?:...) handles repetition. Other options misplace field names or use invalid group syntax.
What does the collect command do in a Splunk search?
Writes search results to a summary index
Collects events for indexing
Generates lookup files
Aggregates inline data
collect writes the current search results into a specified summary index. It does not create lookup files or inline aggregations. This command is used for summary indexing.
Which file in Splunk configuration maps sourcetypes to transforms?
outputs.conf
props.conf
inputs.conf
transforms.conf
props.conf defines how incoming data (sourcetype) is processed and references transforms. transforms.conf defines the actual transformations. Inputs.conf and outputs.conf configure data routing.
What is required for running tstats on a dataset?
A summary index
A KV store collection
A lookup table
An accelerated data model or metrics index
tstats queries indexed fields from accelerated data models or metrics indexes for high performance. It does not operate on summary indexes or lookups.
Which command parses JSON objects in event data?
jsonparse
parseJSON
spath
extract kv
spath automatically parses JSON or XML fields into searchable fields. There is no jsonparse or parseJSON command. kv only handles key=value pairing.
How can you display the duration of each event in seconds?
stats duration=_time-
timechart span=1s duration
eval duration=_time-
where duration>0
Using eval lets you calculate a new field duration by subtracting timestamp fields. Stats does aggregations, not per-event calculation.
Which setting in limits.conf controls subsearch maximum time?
subsearch_time_limit
maxtime
maxsubsearch
search_timeout
maxtime in limits.conf sets the maximum runtime for subsearches. Other names are not valid. This prevents runaway subsearch performance issues.
Which command allows you to accumulate log data across different hosts?
append hosts
merge host
collect index=summary hostfield=host
union host
collect can write events into a summary index across hosts using hostfield. merge, union, and append syntax do not support this operation.
Which configuration file sets up data forwarding destinations?
transforms.conf
outputs.conf
inputs.conf
props.conf
outputs.conf defines forwarder targets, ports, and protocols. inputs.conf configures data inputs. props.conf and transforms.conf handle event parsing.
How do you configure Splunk to ignore the first line of a multiline event?
inputs.conf ignore_first_line=true
transforms.conf first_line=skip
props.conf skipHeader=true
props.conf LINE_BREAKER and SHOULD_LINEMERGE settings
You adjust LINE_BREAKER to split events correctly and set SHOULD_LINEMERGE=false to prevent merging. There is no ignore_first_line parameter.
What is the default maximum size for an indexed event?
100,000 bytes
64,000 bytes
1,000 bytes
10,000 bytes
Splunk by default indexes up to 10,000 bytes per event to prevent extremely large event segments. You can adjust this in limits.conf.
Which command would you use to calculate a running total over time?
streamstats sum(count) as cumulative
eventstats cumulative=count
timechart sum(count) cumulative
stats sum(count) as cumulative
streamstats computes cumulative metrics per event as it streams through the pipeline. stats only summarizes overall results, not per-event running totals.
How do you limit a lookup to only match the first value per field?
lookup unique=true
lookup maxmatch=1
lookup first=true
lookup local=true
Using local=true restricts the lookup to return one match per event from the local lookup table. maxmatch is a search command argument rather than lookup parameter.
Which setting in inputs.conf specifies the sourcetype of incoming data?
format
type
sourcetype
datatype
The sourcetype attribute in inputs.conf defines how Splunk interprets the data format. There is no type or datatype parameter. Correct sourcetype configuration ensures proper parsing.
Why is tstats generally faster than stats when querying large datasets?
It uses parallel processing across cluster peers
It loads data into memory before searching
It queries indexed summary fields rather than raw events
It bypasses user authentication
tstats operates on indexed data from accelerated data models or metrics indexes, which reduces the amount of scanned raw data. Stats works on unindexed raw events, making it slower for large datasets.
How can you optimize a search that uses multiple field extractions?
Pre-configure field extractions in props.conf to shift work to indexing
Disable event breaking to reduce extractions
Use rex in every search for dynamic extraction
Increase search concurrency
Moving regex field extractions to props.conf at index time offloads extraction overhead from search time. Using rex in each search is less efficient, and adjusting concurrency does not reduce extraction costs.
In Splunk, what is the purpose of the summary index rollover policy?
To manage disk usage by rolling summary data over based on size or time
To refresh accelerated data models
To archive raw event data automatically
To rotate lookup files
The rollover policy for summary indexes ensures older summary data is archived or deleted to control disk usage. It is unrelated to raw events, data models, or lookups.
Which Splunk feature provides accelerated search lookups by storing pre-computed results?
Summary indexing
Summary reports
Data model acceleration
KV store lookups
Data model acceleration uses summary-based acceleration to speed up pivot and tstats searches by storing pre-computed data. Summary indexing is a separate feature for historical data aggregation.
How do you troubleshoot a slow Splunk search that uses subsearches?
Increase dispatch.timeout in web.conf
Disable field extraction completely
Use more wildcard searches
Check subsearch result limits and use tstats or optimize base search
Slow subsearches often exceed default limits or run on raw data; optimizing the base search, leveraging tstats, or raising subsearch limits can help. Changing dispatch timeouts or using wildcards can worsen performance.
0
{"name":"What is the default search mode in Splunk Web?", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What is the default search mode in Splunk Web?, Which default field holds the event timestamp in Splunk?, Which command lists or limits the fields returned in your search results?","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}

Study Outcomes

  1. Understand search command prefixes -

    Recognize which character (such as the pipe "|") is used in a search before a command and how it structures query flow.

  2. Identify default selected fields -

    Determine which fields Splunk returns by default (for example _time, host, source) to streamline data exploration.

  3. Apply field appearance commands -

    Select and use the appropriate command (e.g., eval, rename) to modify or format field values in search results.

  4. Construct effective Splunk queries -

    Combine commands and filters to build precise searches that return relevant data quickly.

  5. Interpret and refine search results -

    Analyze query output, spot patterns or anomalies, and adjust searches for deeper insights.

Cheat Sheet

  1. Pipe Symbol for Command Prefixes -

    In Splunk searches, the pipe character (|) is the answer to "which character is used in a search before a command." Think of it as a conveyor belt that hands off results from one command to the next - your mental mnemonic can be "Pipe It Along." Official Splunk docs confirm that any command following the initial search must start with this symbol to execute properly.

  2. Default Selected Fields -

    When the quiz asks "which of the following fields are default selected fields," remember Splunk always includes _time, host, source, and sourcetype by default. These fields give you essential event context without having to explicitly extract them each time (Splunk Docs: "Fields List"). A handy trick: think "THSS" (Time, Host, Source, Sourcetype) as your core field quartet.

  3. Using fieldformat to Tweak Appearance -

    To answer "which command changes the appearance of field values," look no further than fieldformat. Unlike eval, fieldformat modifies only how values display, preserving the original data. For example, fieldformat bytes=round(bytes/1024,2)." KB" will show kilobytes neatly in dashboards.

  4. Stats Command for Aggregations -

    Stats is a transformation command that summarizes event data - perfect for the Splunk Core Certified User quiz's aggregation questions. Use syntax like stats count by host to see how many events came from each host. A simple memory trick is "Stats Stacks Summaries."

  5. Search Modes: Fast, Smart, and Verbose -

    Splunk's search UI offers three modes - fast, smart, and verbose - to balance speed versus detail. Fast mode skips field discovery for quicker results, smart uses selected fields, and verbose pulls in everything; picking the right mode can be the difference between a swift answer on your quiz and a sluggish search. Remember "FSV" to choose the best fit for performance versus insight.

Make a Quiz (FREE) Copy & Edit This Quiz Create a Quiz with AI

Programming & Software Quizzes

Powered by: Quiz Maker