These questions cover three areas that frequently appear on the SPLK-1001 and where candidates most commonly lose marks: transforming commands, lookups, and alerts. Work through them before checking the answers.
Question 1
What does the following SPL search return?
index=web | stats count by host
- A) The total number of distinct hosts across all indexes
- B) A table with each unique host and its event count
- C) Only the host with the highest event count
- D) Raw events grouped visually by host
Answer: B - A table with each unique host and its event count
stats count by host is a transforming command. It doesn't return individual events; it returns one row per unique value of host, with a count column showing how many events matched each host.
This is a key distinction on the SPLK-1001. Non-transforming commands (like search or fields) work on individual events. Transforming commands produce a new statistical table. That's why visualisations require a transforming command: you can't chart raw events, but you can chart a table of counts.
stats count by host returns all hosts with their counts, not just the maximum. If you want only the highest, you'd add | sort -count | head 1.
</details>On the exam, whenever a question describes a result that looks like a table with aggregated values, the answer involves a transforming command:
stats,top,rare,chart, ortimechart.
Question 2
A security team has a CSV file mapping IP addresses to known malicious categories. They want to automatically add a threat_category field to search results when a matching IP is found. Which Splunk feature should they use?
- A) An alert that monitors for IP addresses
- B) A lookup configured with the CSV file
- C) An
evalcommand to assign categories - D) A field extraction using regex
Answer: B - A lookup configured with the CSV file
Lookups enrich search results by joining data from an external source with your indexed events. In this scenario, the CSV acts as a reference table: Splunk checks each event's IP against the CSV and, when it finds a match, adds the corresponding threat_category field to that event.
Why not the other options:
- Alerts trigger actions based on conditions; they don't add fields to events
evalcalculates new field values from expressions, but you'd need to hardcode every IP-to-category mapping in the search itself, which isn't practical- Field extraction pulls fields out of raw event text; it doesn't join against an external table
How lookups work:
index=firewall
| lookup threat_intel.csv src_ip AS src_ip OUTPUT threat_category
| where isnotnull(threat_category)
The lookup command matches src_ip from your events against the src_ip column in the CSV, then writes the threat_category value from the matching row into each event.
</details>Know the distinction: field extraction pulls data out of raw events; lookups join data from external sources onto your results. Two different tools for two different problems.
Question 3
A SOC team wants to be automatically notified by email whenever the number of failed login events exceeds 50 in a 15-minute window. Which Splunk feature should they configure?
- A) A scheduled report with email delivery
- B) A real-time dashboard panel
- C) An alert with an email action
- D) A lookup with a threshold field
Answer: C - An alert with an email action
Alerts in Splunk run a saved search on a schedule (or in real time) and trigger one or more actions when the results meet a defined condition. In this case: run a search for failed logins every 15 minutes, and if the count exceeds 50, send an email.
The distinction between an alert and a scheduled report matters for the exam:
| Scheduled Report | Alert | |
|---|---|---|
| Runs on a schedule | Yes | Yes |
| Sends email | Yes (always, on schedule) | Yes (only when condition is met) |
| Triggers actions conditionally | No | Yes |
| Use case | Regular reporting | Threshold-based notification |
A scheduled report sends its results on every run regardless of what the results contain. An alert only fires when the condition is satisfied, which is exactly what this scenario requires.
Alert actions available in Splunk:
- Webhook
- Run a script
- Add to triggered alerts list
- Send to Splunk Incident Review (Enterprise Security)
</details>On the SPLK-1001, "notify when X happens" is almost always answered with an alert, not a report. Reports are for regular information delivery; alerts are for exception-based notification.
Key Takeaways
stats count by hostis a transforming command. It produces a statistical table, not raw events. That's what makes charts and visualisations possible.- Lookups enrich events by joining data from an external source (CSV or KV Store). They add fields; they don't filter or extract.
- Alerts fire conditionally. Reports run on a schedule and always deliver results. When a scenario involves "notify when a threshold is reached", the answer is an alert.
For more practice, work through the full SPLK-1001 practice exam set.