The SPLK-1002 is the Splunk Core Certified Power User exam, sitting one level above the Core Certified User (SPLK-1001). It's aimed at Splunk users who go beyond basic searching and need to create and manage knowledge objects, build advanced searches, and normalise data with the Common Information Model. If you've passed SPLK-1001, the SPLK-1002 is the natural next step.
The Short Answer
The SPLK-1002 is moderate difficulty. Harder than the SPLK-1001, but not in the same tier as the admin or architect certifications. The content is more specialised and requires hands-on familiarity with knowledge objects, data models, and the CIM add-on. Candidates who use Splunk regularly but haven't explored power user features tend to struggle with the subtler distinctions between similar features.
What the Exam Actually Tests
The SPLK-1002 focuses on the features that make Splunk more powerful: knowledge objects that enrich and reuse search logic, data models that enable fast analytics, and CIM normalisation that allows cross-source analysis.
Common question types:
- "What is the difference between a field alias and a calculated field in Splunk?" (aliases rename existing fields; calculated fields create new ones using eval expressions)
- "When should you use the transaction command instead of stats?" (when you need to group related events by session or sequence, not just aggregate values)
- "Which type of workflow action would you configure to pass a field value from Splunk to an external web application?" (POST workflow action)
- "What is the purpose of CIM Technology Add-ons?" (to normalise source data so that fields from different data sources map to consistent CIM field names)
- "What command would you use to search a data model acceleration summary?" (tstats)
Exam Format
- 65 questions
- 57 minutes
- Passing score: 70%
- Multiple choice
- Available online proctored or at a Pearson VUE test centre
The Ten Domains
| Domain | Weight |
|---|---|
| Correlating Events | 15% |
| Filtering and Formatting Results | 10% |
| Creating and Managing Fields | 10% |
| Creating Field Aliases and Calculated Fields | 10% |
| Creating Tags and Event Types | 10% |
| Creating and Using Macros | 10% |
| Creating and Using Workflow Actions | 10% |
| Creating Data Models | 10% |
| Using the Common Information Model Add-On | 10% |
| Using Transforming Commands for Visualizations | 5% |
The domains are weighted fairly evenly. Event correlation at 15% is the largest but not overwhelmingly so. Coverage across all ten areas is required.
What Makes It Challenging
The 57-Minute Time Limit
65 questions in 57 minutes is under a minute per question. This is tighter than most certification exams. You don't have time to carefully reason through every question. Candidates who know the material can move quickly; candidates who are uncertain on multiple topics will run short on time. Speed comes from genuine familiarity, not just study.
Subtle Distinctions Between Similar Features
The SPLK-1002 tests areas where the correct answer depends on a nuanced difference. Field aliases vs calculated fields. Tags vs event types. Workflow GET vs POST vs Search actions. The transaction command's maxspan vs maxpause parameters. Macros with arguments vs without. These distinctions are easy to confuse if you've only read about them and haven't used them in practice.
The CIM Add-On
The Common Information Model requires understanding of data normalisation, Technology Add-ons, and how CIM fields map to source-specific fields. Candidates who haven't used the CIM add-on in a real Splunk environment find these questions harder because the concepts are abstract without practical context.
Data Model Acceleration and tstats
Data models and the tstats command are specific enough that they require dedicated study. Understanding when to enable acceleration, what tsidx summaries are, and how tstats queries differ from regular search queries is not covered by general Splunk familiarity.
What Makes It Manageable
Splunk's Free Training Is Directly Relevant
Splunk offers a free Power User course that covers the exam material. The virtual lab environment lets you practice creating knowledge objects, macros, and data models in a real Splunk instance. Candidates who complete the training and do the hands-on exercises are well-positioned for the exam.
70% Passing Score
You need 70% to pass, which means you can miss roughly 20 questions and still pass. If you're solid on the core knowledge object material and the CIM, you can afford some uncertainty on the less common topics.
Building on SPLK-1001
If you've already passed the Core Certified User exam, you have the foundation. The SPLK-1002 extends what you already know rather than starting from scratch. The SPL fundamentals, the search pipeline, and the basic Splunk architecture are assumed knowledge.
Pass Rate
Splunk doesn't publish pass rates. Community feedback suggests the SPLK-1002 is noticeably harder than SPLK-1001, with a lower first-attempt pass rate. The time pressure is frequently cited as the main challenge by candidates who had adequate knowledge but ran out of time. Most prepared candidates pass within one or two attempts.
How Long to Prepare
| Background | Estimated Prep Time |
|---|---|
| No Splunk experience | Not recommended (complete SPLK-1001 first) |
| SPLK-1001 level knowledge | 3–5 weeks |
| Regular Splunk user, some power user features | 2–3 weeks |
| Daily Splunk use including knowledge objects | 1–2 weeks focused review |
Recommended Study Approach
- Complete Splunk's Power User course and all virtual lab exercises. The hands-on work cements the knowledge objects concepts better than any amount of reading.
- Create every knowledge object type in a real Splunk environment. Field extraction, field alias, calculated field, tag, event type, macro with and without arguments, all three workflow action types, and a data model.
- Practice the transaction command with maxspan and maxpause. Understand when transaction is the right choice over stats and be able to explain the difference.
- Learn the CIM add-on. Install a Technology Add-on in a test environment, run searches using CIM field names, and understand how normalisation works.
- Practise under time pressure. Set a 57-minute timer and work through a full set of practice questions. Speed is a real factor.
- Take practice exams. Use the SPLK-1002 practice exams to identify your weak areas before you book.
Bottom Line
The SPLK-1002 is a legitimate step up from the Core Certified User exam. The time pressure and the nuanced distinctions between similar features mean that passive study isn't enough. Get hands-on with every knowledge object type, practice under realistic time conditions, and use practice exams to find your gaps. Candidates who do all three consistently pass.