Getting Started with SPLK-1002

The Splunk Core Certified Power User (SPLK-1002) is the second tier in Splunk's certification path, sitting above the Core Certified User (SPLK-1001) and below the Enterprise Certified Admin (SPLK-1003). It validates that you can write intermediate SPL (Search Processing Language), build knowledge objects, use statistical commands, and create data models and lookups. If you use Splunk to build searches, dashboards, and reports in a professional capacity, this is the certification that proves you can do the job.

This guide covers what the exam tests, the SPL commands you need to know, and how to structure your study.

Exam Overview

60 minutes for 57 questions is tight. You have about 63 seconds per question. Practising under timed conditions is important for this exam.

Exam Domains

Using Fields and Statistical Processing together are 40% of the exam. Strong SPL fundamentals, particularly around transforming commands and statistical analysis, are the foundation everything else builds on.

Core Topics to Master

SPL Fundamentals

The SPLK-1002 assumes you already understand basic SPL from the SPLK-1001 level. You need to be comfortable with search pipelines, time ranges, and basic field manipulation before studying Power User content.

The search pipeline concept is central: each command in a Splunk search receives events from the previous stage and passes results to the next. Understanding which commands are streaming (process each event as it arrives), transforming (produce a new result table), and generating (create events from nothing) helps you understand why command order matters and when you can change it.

Statistical Processing Commands

These are the most heavily tested commands. Know each one's syntax and when to use it:

• stats: aggregate events into statistics. Common functions: count, sum, avg, min, max, values, list, dc (distinct count). stats count by host counts events per host.
• chart: similar to stats but designed for visualisations; creates a table with an x-axis field. chart count by host over time produces a chart.
• timechart: like chart but always uses time on the x-axis. The primary command for time-series visualisations.
• eval: creates or modifies fields using expressions and functions. eval response_time_ms = response_time * 1000
• rex: extracts fields using regular expressions. rex field=_raw "(?P<username>\w+) logged in"
• rename: renames fields in results. rename clientip as "Client IP Address"
• sort: orders results by one or more fields. sort -count sorts descending by count.
• dedup: removes duplicate events based on field values. dedup host user removes duplicates with same host and user combination.
• top: returns the most common values of a field. Faster than stats count by for simple frequency analysis.
• rare: returns the least common values. Useful for anomaly detection.

Field Commands and Extractions

Understanding how Splunk handles fields is fundamental to the Power User exam:

• Fields: Splunk extracts fields at search time from raw event data. Fields discovered at index time (like host, source, sourcetype) are available without any configuration. Custom field extractions can be added via regex.
• field extractions: use rex in a search or create persistent field extractions via the field extractor wizard. Know the difference between inline and persistent extractions.
• field aliases: create alternative names for extracted fields without modifying the underlying extraction.
• Calculated fields: use eval expressions to create persistent computed fields that appear in all searches matching a given sourcetype.
• tags: assign labels to field-value pairs. tag=privileged_user can tag specific users. Tags let you group and correlate events across sources.
• Event types: saved searches that define a category of event. Used to tag and classify events. Event types let you apply a label to any event matching a search.

Lookups

Lookups enrich your Splunk data by adding fields from external data sources:

• CSV lookups: the most common type. A CSV file stored in Splunk is used to add fields to events based on matching field values. lookup users_lookup username OUTPUT department
• KV Store lookups: store lookup data in a Splunk key-value store; useful for frequently updated data that a CSV file would be slow to manage
• Automatic lookups: configure a lookup to run automatically whenever events from a specific sourcetype are returned; no need to include the lookup command in every search
• lookup command syntax: | lookup <lookup_name> <input_field> OUTPUT <output_field> or OUTPUTNEW to only populate the field if it's not already set

Macros

Macros are reusable search snippets stored in Splunk. They let you define a search string once and reference it anywhere with a backtick syntax:

• Define a macro in Settings > Advanced Search > Search Macros
• Reference it in a search: `my_macro`
• Macros can accept arguments: `my_macro(field_name)`
• The backtick syntax is important: macro_name in backticks, not quotes

Macros improve search consistency and maintainability. The exam tests whether you know how to create them and when to use them versus other knowledge objects.

Visualisations

Splunk supports multiple visualisation types. Know which transforming command produces which chart type:

Trellis layout splits a single visualisation into multiple panels grouped by a field value. Useful for comparing behaviour across multiple hosts or sources simultaneously.

Correlating Events

The transaction command groups related events into a single result:

• transaction session_id: groups all events sharing the same session_id into one transaction
• maxspan: maximum duration for a transaction. Events outside this window start a new transaction.
• maxpause: maximum gap between events within a transaction
• startswith and endswith: patterns that mark the start and end of a transaction

Transaction is powerful but expensive. For large datasets, stats is faster for aggregation. Use transaction when you specifically need to group individual events that share a characteristic over time.

Common Exam Traps

stats vs chart vs timechart: all three aggregate data, but chart expects two fields (x-axis and y-axis), timechart always uses time on the x-axis, and stats produces a flat table. Choosing the wrong command in a question about building a specific visualisation is a common error.

OUTPUT vs OUTPUTNEW in lookups: OUTPUT always overwrites the field value even if it already has data. OUTPUTNEW only populates the field if it's null. Questions about preserving existing field values point to OUTPUTNEW.

Tags vs Event Types: tags label specific field-value pairs (like flagging a specific IP as tag=malicious). Event types classify events matching a search pattern. These serve different purposes and are not interchangeable.

Macro syntax: macros use backticks, not quotes or other delimiters. Getting this wrong on the exam is an easy mark to lose if you haven't practised writing macro syntax from memory.

Study Plan

Hands-on practice in a Splunk instance is valuable for this exam. Splunk offers a free Developer licence for a local installation and Splunk Cloud has a free 14-day trial. Writing the commands yourself is far more effective than reading about them.

Recommended Resources

• Splunk Fundamentals 2 (free, Splunk Education)
• Splunk documentation: Search Reference
• SPLK-1002 practice exams on this site

Final Thoughts

The SPLK-1002 rewards candidates who write SPL regularly. If you use Splunk in your job to build searches and dashboards, the exam material will feel like a formalisation of what you already do. Candidates studying without access to a Splunk instance will find the command syntax harder to retain.

Get hands-on with a Splunk trial or developer instance. Write the statistical commands, build lookups, create macros, and run transactions on real data. The 60-minute time limit rewards fluency, and you'll only be fluent if you've typed the commands more than once.

Start with our SPLK-1002 practice exams to benchmark your current level and identify which domains to focus on first.