Question 2 - Splunk SPLK-1001 Real Exam Questions [March 2026 Update]

Q: 2

Which of the following are not true about lookups? (Select all that apply.)

Options

Discussion

Grace Mar 8, 2026 7:32 am

E. not a hard 10MB limit in Splunk for lookups.

Amelia H. Mar 5, 2026 6:43 am

E tbh, not sure if I'm missing something tricky but don't recall a hard 10MB limit.

Skyler N. Mar 17, 2026 10:30 am

I'd pick A for this. From what I remember, lookups aren't natively time-based in Splunk, even though you can get creative with searches. I think the official docs or practice exams touch on this a bit.

FriendlyOps9816 Mar 13, 2026 12:36 am

Its E, there isn't a universal 10MB cap for lookups in Splunk. Admins can bump it much higher with config tweaks. That's why E isn't true, at least from what I've seen working with both CSV and KV Store lookups. Open to other takes if I missed something.

Luna E. Mar 4, 2026 5:16 pm

Option E is right, lookup files definitely aren't stuck with a 10MB max. Fairly sure on this, open to counter examples though.

Sam Mar 7, 2026 12:02 pm

I don’t think it’s A, pretty sure E is right here. The supposed 10MB limit on lookup size isn’t fixed in Splunk, it can be changed in limits.conf or depends on system resources. People get tripped up because older docs mention smaller limits, but as of now there’s no hard cap like that. Agree?

Logan Feb 26, 2026 6:51 pm

E or maybe A, saw similar on practice. Not 100 percent.

HelpfulReviewer8786 Mar 1, 2026 2:38 am

I don’t think B is the trap here, it’s E. There isn’t a strict 10MB max on lookup size, that’s just not a fixed Splunk limit. The real cap depends on config (like in limits.conf) and can be much bigger, especially with KV Store or CSV lookups. If anyone thinks there’s another wrong option let me know, but pretty sure it’s E this time.

Cameron O. Mar 4, 2026 8:13 pm

E saw a similar one in a practice set. There isn’t a fixed 10MB limit for lookups.

Ava Z. Mar 12, 2026 1:33 am

E There’s no strict 10MB max size for lookups, that limit can be adjusted in Splunk settings.
Just to confirm, does the question specify cloud vs. on-prem? Some limits differ depending on deployment type.

Be respectful. No spam.

Correct Answer:

Explanation

Splunk does not have a fixed 10MB maximum size limit for lookup files. The effective limits on lookup size are determined by configurations in the limits.conf file and the available system resources (RAM, CPU). For instance, the maxmemtablebytes setting for KV Store lookups defaults to 256MB, and the maxlookupsize for static CSV lookups defaults to 500MB in recent Splunk versions. These values can be adjusted by an administrator, demonstrating that there is no inherent 10MB hard limit. Therefore, the statement that lookups have a 10MB maximum size limit is false.

Why Incorrect

A. Lookups can be time based: This is a true statement. Splunk allows the configuration of time-based lookups, which match events against lookup table rows that are valid for the event's timestamp.

B. Search results can be used to populate a lookup table: This is a true statement. The outputlookup command is specifically designed to take the results of a search query and write them to a lookup file or KV Store collection.

C. Splunk DB Connect can be used to populate a lookup table from relational databases: This is a true statement. A primary function of the Splunk DB Connect app is to query relational databases and use the results to create and populate lookups within Splunk.

D. Output from a script can be used to populate a lookup table: This is a true statement. Splunk supports scripted lookups, where an external script is executed to provide lookup data dynamically, which is then used to enrich event data.

---

References

1. Splunk Enterprise Admin Manual

limits.conf specification:

Section: [lookup]

Content: This section details configurable limits for lookups. For example

maxlookupsize defaults to 500MB

and maxmemtablebytes for KV Store lookups defaults to 256000000 (256MB). This directly contradicts the claim of a 10MB limit.

Reference: Splunk Documentation

Admin Manual

limits.conf

[lookup] stanza.

2. Splunk Enterprise Knowledge Manager Manual

"About lookups":

Section: "Types of lookups" and "Configure a time-based lookup"

Content: This manual describes the different types of lookups

including scripted and time-based lookups

confirming options A and D are true features.

Reference: Splunk Documentation

Knowledge Manager Manual

"Configure a time-based lookup" and "Configure a scripted lookup".

3. Splunk Enterprise Search Reference

outputlookup command:

Section: "outputlookup"

Content: The documentation for the outputlookup command explicitly states its purpose: "Writes search results to a static lookup table... or a KV store collection." This confirms option B is a true statement.

Reference: Splunk Documentation

Search Reference

outputlookup.

4. Splunk DB Connect Manual

"Create and manage database lookups":

Section: "Create a new database lookup"

Content: The manual states

"Use DB Connect to import tables

views

and databases from your database and make them available as lookups in Splunk." This confirms option C is a true statement.

Reference: Splunk Documentation

Splunk DB Connect

"Create and manage database lookups".

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

📖 About this Domain

🎓 What You Will Learn

🛠️ Skills You Will Build

💡 Top Tips to Prepare

Premium Access Includes

FLASH OFFER

avail 10% DISCOUNT on YOUR PURCHASE