How to Pass Splunk Core Certified User in 2026: Complete Study Guide

# How to Pass Splunk Core Certified User in 2026: Complete Study Guide The **Splunk Core Certified User** is the entry-level certification in the Splunk credentialing track. It validates your ability to search, navigate reports, and build basic dashboards inside Splunk Enterprise or Splunk Cloud. Whether you are a SOC analyst, an IT operations engineer, or a data professional just getting started with Splunk, this certification proves you can work independently with the Search Processing Language (SPL) and the Splunk UI. This guide covers everything you need: exam format, all six domains, SPL fundamentals, key commands, and a 4-week study plan to get you exam-ready. --- ## Exam Facts at a Glance | Detail | Value | |---|---| | Exam code | Splunk Core Certified User | | Number of questions | 60 | | Time limit | 60 minutes | | Passing score | 70% (42 correct) | | Exam cost | $130 USD | | Format | Multiple choice / multiple response | | Delivery | Pearson VUE (online proctored or test center) | | Prerequisite | None (entry-level) | | Validity | 3 years | --- ## The Six Exam Domains Splunk publishes a blueprint that maps every exam question to one of six domains. Understanding the domain weights lets you prioritize your study time. ### Domain 1: Splunk Components You need to know what each component does: the **indexer** stores and indexes incoming data; the **search head** lets users run searches; the **forwarder** (Universal or Heavy) ships data to indexers; and the **deployment server** manages configurations at scale. Questions here are conceptual — recognizing what component solves which architectural problem. ### Domain 2: Searching and Reporting This is the largest domain. It covers how to construct a basic SPL query, use the search pipeline (`|`), filter results with keywords and boolean operators (`AND`, `OR`, `NOT`), and apply time ranges. You must understand index, source, sourcetype, and host as the four default fields. ### Domain 3: Charts and Dashboards Creating visualizations from search results. You need to know the difference between a report (saved search) and a dashboard (collection of panels). Key panel types: chart, timechart, table, single value, and map. ### Domain 4: Filtering and Formatting Results Using SPL commands to shape output: `table`, `fields`, `rename`, `sort`, `dedup`, `eval`, `where`, and `head`/`tail`. This domain tests your ability to produce clean, formatted output from raw events. ### Domain 5: Correlating Events Combining data from multiple sources using `transaction`, `join`, and `append`. Understanding when `transaction` is appropriate (grouping events by shared field value) versus when `stats` is more efficient. ### Domain 6: Knowledge Objects Splunk stores reusable configurations as knowledge objects: saved searches, reports, alerts, field extractions, lookups, event types, and tags. You must know how to create and manage these from the Splunk UI and understand their permission model (private, app, global). --- ## SPL Fundamentals ### The Search Pipeline Every SPL query is a pipeline: data flows left to right, and each command receives the output of the command before it. ``` index=web sourcetype=access_combined status=200 | stats count by host | sort -count | head 10 ``` - **Generating command** (implicit): the base search retrieves events from the index. - **Transforming command** (`stats`, `chart`, `timechart`): converts events into a statistical table. Once you use a transforming command, you can no longer filter raw events. - **Reporting command** (`table`, `fields`, `sort`): shapes final output. ### The Four Default Fields Every event in Splunk has four metadata fields assigned at index time: | Field | Description | |---|---| | `index` | The Splunk index where data is stored | | `source` | The file or input source path | | `sourcetype` | The data format category (e.g., `access_combined`, `syslog`) | | `host` | The hostname of the machine that sent the data | Always anchor your searches with `index=` and `sourcetype=` to limit event volume and improve performance. ### Boolean Operators and Wildcards - `AND` is implicit between search terms: `error login` = `error AND login` - `OR` must be explicit: `error OR warning` - `NOT` excludes terms: `error NOT timeout` - Wildcards: `fail*` matches `failed`, `failure`, `failover` --- ## Key SPL Commands by Domain ### Transforming Commands (Domain 3) | Command | Purpose | Example | |---|---|---| | `stats` | Aggregate events into a table | `stats count by status` | | `chart` | Create a chart with explicit x-axis | `chart count by status over host` | | `timechart` | Chart over time (x-axis = `_time`) | `timechart span=1h count by status` | ### Filtering and Formatting Commands (Domain 4) | Command | Purpose | |---|---| | `table` | Select and reorder columns | | `fields` | Include or exclude fields (`fields - _raw`) | | `rename` | Rename a field (`rename src_ip AS "Source IP"`) | | `sort` | Sort results (`sort -count` for descending) | | `dedup` | Remove duplicate events by field value | | `eval` | Create or modify a field (`eval ratio=bytes/requests`) | | `where` | Filter rows in a transformed table (`where count > 100`) | | `head` / `tail` | Return first or last N results | | `top` / `rare` | Most/least frequent values of a field | | `rex` | Extract fields using regex (`rex "(?\d+\.\d+\.\d+\.\d+)"`) | ### Correlation Commands (Domain 5) | Command | Purpose | |---|---| | `transaction` | Group events sharing a field value into a single transaction | | `join` | SQL-style join on a shared field | | `append` | Append results of a subsearch | --- ## Splunk UI Navigation The Splunk Web UI has a consistent layout across versions: - **Search & Reporting app**: your primary workspace for running searches, building reports, and creating dashboards. - **Apps bar** (top left): switch between installed Splunk apps. - **Search bar**: enter SPL queries here; use the time picker on the right to set the search window. - **Events / Statistics / Visualization tabs**: toggle between raw event view, transformed table, and chart output. - **Save As menu**: save a search as a Report, Alert, or Dashboard Panel. - **Settings menu** (top right): manage knowledge objects, data inputs, users, and roles. --- ## Splunk Certification Progression | Certification | Focus | Audience | |---|---|---| | Core Certified User | Search, reports, dashboards, SPL basics | Analysts, end users | | Core Certified Power User | Advanced SPL, regex, lookups, macros, CIM | Power users, developers | | Enterprise Certified Admin | Deployment, indexing, clustering, RBAC | System administrators | | SPLK-1002 (IT Service Intelligence) | ITSI monitoring and alerting | Operations teams | The Core User cert is the natural starting point. Most candidates move to Power User next. --- ## Study Resources - **Splunk Free Training — Fundamentals 1**: Splunk's official free course covers the exam topics in order. Available at `education.splunk.com`. Complete this before anything else. - **Splunk BOSS of the SOC (BOTS)**: A free, gamified CTF dataset hosted by Splunk. Running real searches against BOTS data is the best hands-on preparation available. - **Splunk Docs**: `docs.splunk.com` — the Search Reference is your command encyclopedia. - **CertLand Practice Exams**: Timed, 60-question practice exams mapped to all six domains with full explanations. Use these in Week 3 and Week 4 to simulate exam conditions. --- ## 4-Week Study Plan ### Week 1: Splunk Fundamentals - Complete Splunk Fundamentals 1 (free, ~9 hours) - Understand the Splunk data pipeline: input → parsing → indexing → searching - Practice navigating the Search & Reporting app - Learn the four default fields and boolean search operators - Goal: write a basic search, apply a time range, read the Events tab ### Week 2: SPL Commands - Study transforming commands: `stats`, `chart`, `timechart` - Study filtering commands: `table`, `eval`, `where`, `dedup`, `sort`, `top`, `rex` - Study knowledge objects: saved searches, field extractions, lookups, tags - Practice each command against the BOTS dataset - Goal: write a search that aggregates data, formats output, and saves as a report ### Week 3: Dashboards and Correlation - Build a dashboard with at least 3 panel types - Study `transaction` and `join` use cases - Review correlation examples: session tracking, error correlation - Take your first full CertLand practice exam (timed, 60 questions) - Review every wrong answer; map each mistake to a domain ### Week 4: Exam Simulation and Review - Take two more full practice exams under timed conditions - Focus review on your weakest domain (check domain scores) - Re-read the Splunk Search Reference for any command you got wrong - Day before exam: review your notes, no new material - Exam day: read every question twice; eliminate obviously wrong answers first --- ## Quick Reference: 10 Must-Know SPL Patterns 1. `index=main error | stats count by host` — count errors per host 2. `index=web status=404 | top limit=5 uri` — top 5 URLs returning 404 3. `index=auth | timechart span=1h count by action` — login actions over time 4. `index=web | eval size_kb=bytes/1024 | table host, uri, size_kb` — compute and display 5. `index=web | dedup src_ip | stats count` — count unique source IPs 6. `index=web | where status>=400 | stats count by status` — filter HTTP errors 7. `index=web | rex field=uri "\/(?

[^\/]+)\/" | stats count by section` — extract URL section 8. `index=auth | transaction src_ip maxspan=5m | where duration>60` — long auth sessions 9. `index=web | lookup geo_lookup src_ip OUTPUT country | stats count by country` — geo enrichment 10. `index=web | sort -_time | head 20` — most recent 20 events --- ## Final Tips - The exam is 60 questions in 60 minutes — that is one minute per question. Do not overthink. If a question stumps you, flag it and move on. - SPL command syntax questions often hinge on a single keyword (e.g., `by` in `stats` vs `over` in `chart`). Learn the exact syntax. - Dashboard questions typically test panel types and the difference between reports and dashboard panels — not advanced XML. - The knowledge objects domain is frequently underestimated. Understand permission scopes: private, app, and global. Good luck — and remember that the best preparation is running real searches against real data.