These questions cover the Common Information Model, workflow actions, and advanced field extractions — areas that distinguish the Power User exam from the Core User and where candidates most commonly lose marks.
Question 1
You are mapping a firewall data source to the Splunk CIM Network Traffic data model. The field in your data representing the destination IP address is called dst_ip. What should you rename it to for CIM compliance?
- A)
dst_ip— this is already the correct CIM field name - B)
dest— the CIM Network Traffic field for destination IP - C)
target_ip— standard CIM naming for destinations - D)
destination_address— the full CIM field name
Answer: B — dest
The Splunk CIM uses dest as the destination IP address field in the Network Traffic data model — not dst_ip, target_ip, or destination_address. This is a common point of confusion because many raw firewall log formats use dst or dst_ip.
Key CIM Network Traffic field names to memorise:
| CIM Field | Meaning |
|---|---|
src | Source IP address |
dest | Destination IP address |
src_port | Source port |
dest_port | Destination port |
user | Username associated with the session |
action | Traffic action (allowed, blocked) |
bytes_in / bytes_out | Transfer volumes |
CIM compliance is required for Splunk apps like Enterprise Security to work correctly — if your fields don't match CIM names exactly, correlation searches and dashboards won't find your data.
</details>Question 2
A security analyst wants to click a field value in a Splunk search result and have that value automatically submitted as a parameter to an external ticketing system via HTTP. Which workflow action type achieves this?
- A) GET workflow action
- B) POST workflow action
- C) Search workflow action
- D) Alert workflow action
Answer: B — POST workflow action
A POST workflow action constructs an HTTP POST request using field values from the event as parameters in the request body. When a user right-clicks a field value and selects the workflow action, Splunk sends the POST to the configured URL with the event's field values as form data.
The three workflow action types:
| Type | What it does |
|---|---|
| GET | Opens a URL in the browser with field values in the query string |
| POST | Sends an HTTP POST request with field values in the request body |
| Search | Runs a new Splunk search, optionally passing field values as arguments |
GET is appropriate for lookups and documentation links. POST is the right choice for creating tickets, triggering webhooks, or any action that modifies external state (REST APIs typically require POST for write operations).
Workflow actions are configured in Settings → Fields → Workflow actions.
</details>Question 3
A transforms.conf stanza extracts a field called error_code from log events. Some events contain multiple error codes. Without additional configuration, only the last match is stored. Which transforms.conf option stores all matches as a multi-value field?
- A)
MULTIVAL = true - B)
MV_ADD = true - C)
KEEP_EMPTY_VALS = true - D)
REPEAT_MATCH = true
Answer: B — MV_ADD = true
By default, when a regex in transforms.conf matches multiple times, each match overwrites the previous value — only the last match is kept. Setting MV_ADD = true in the stanza causes Splunk to append each regex match as a separate value in a multi-value field instead.
[extract-error-codes]
REGEX = error_code=(\w+)
FORMAT = error_code::$1
MV_ADD = true
With MV_ADD = true, an event containing error_code=E001 error_code=E002 error_code=E003 would produce error_code with values ["E001", "E002", "E003"].
You can then work with multi-value fields using SPL functions like mvexpand, mvcount, and mvindex.
Related options worth knowing:
| Option | Effect |
|---|---|
MV_ADD = true | Appends multiple regex matches as multi-value field |
KEEP_EMPTY_VALS = true | Preserves empty string matches |
CLEAN_KEYS = true | Normalises field name characters |
Key Takeaways
- CIM Network Traffic uses
destfor destination IP,srcfor source IP — notdst_ip,destination, or similar variants - POST workflow actions send HTTP POST with field values in the body; GET opens a URL; Search runs a new SPL query
MV_ADD = truein transforms.conf appends multiple regex matches as a multi-value field instead of overwriting