Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Elastic Certified Analyst Practice Questions

Pass your Elastic Certified Analyst exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

In an anomaly detection job configuration, what does the 'bucket span' parameter control?

A
B
C
D
to track
Same family resources

Explore More Elastic Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Elastic Certified Engineer

Practice Questions

Elastic Certified Engineer

Practice Questions

Elastic Certified Observability Engineer

Practice Questions
2026 Statistics

Key Facts: Elastic Certified Analyst Exam

~60

Exam Questions

Elastic

70%

Passing Score

Elastic

60 min

Exam Duration

Elastic

$200

Exam Fee

Elastic

14 days

Retake Wait

Elastic FAQ

2 years

Credential Validity

Elastic

Elastic Certified Analyst is approximately 60 multiple-choice questions in 60 minutes with a 70% passing score, costing $200 USD per attempt. Delivered remotely via TrueAbility and Honorlock. Covers Kibana Discover, KQL, ESQL, Lens, Dashboard, Maps, and alerting. Credential valid for 2 years. 14-day retake wait.

Sample Elastic Certified Analyst Practice Questions

Try these sample questions to test your Elastic Certified Analyst exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1In Kibana Discover, which field in the search bar allows you to filter documents where the host name matches any value starting with 'web'?
A.host.name = web*
B.host.name : "web*"
C.host.name ~ web
D.host.name LIKE 'web%'
Explanation: KQL uses the colon operator for field-value matching and supports wildcards with *. The correct syntax is `host.name : "web*"` which matches any host.name value beginning with 'web'. The = operator is not valid KQL. The ~ operator is regex notation from other query languages. SQL-style LIKE syntax is not supported in KQL.
2You want to find all log documents in Discover where the http.response.status_code is either 404 or 500. Which KQL query is correct?
A.http.response.status_code : (404 OR 500)
B.http.response.status_code : 404 AND 500
C.http.response.status_code IN [404, 500]
D.http.response.status_code = 404 || 500
Explanation: KQL supports grouping multiple values for a single field using parentheses with OR: `http.response.status_code : (404 OR 500)`. This is the idiomatic KQL approach for matching one of several values. The AND operator between bare values does not express multi-value OR semantics. IN is not valid KQL syntax. The || operator and = are not KQL.
3In Kibana Discover, what does the 'Surrounding documents' feature do?
A.It shows all documents matching the current KQL filter
B.It displays documents immediately before and after a selected document by timestamp
C.It opens a split-screen view of two different indices
D.It creates a saved search scoped to a time neighborhood
Explanation: The 'Surrounding documents' feature fetches documents just before and just after a selected document based on its timestamp, which is useful for understanding event context and reconstructing sequences. It does not filter by the active KQL query, open a split-screen, or create a saved search.
4Which ES|QL query returns the count of events grouped by service.name for the past hour from the 'logs-*' data stream?
A.FROM logs-* | WHERE @timestamp > NOW() - 1h | STATS COUNT() BY service.name
B.SELECT COUNT(*) FROM logs-* WHERE @timestamp > now()-1h GROUP BY service.name
C.FROM logs-* | FILTER time > 1h | AGGREGATE COUNT() BY service.name
D.FROM logs-* | TIMERANGE 1h | COUNT BY service.name
Explanation: ES|QL uses pipe-separated commands. `FROM logs-*` selects the source, `WHERE @timestamp > NOW() - 1h` filters to the last hour using the built-in NOW() function, and `STATS COUNT() BY service.name` aggregates. The SQL SELECT syntax is not ES|QL. FILTER and AGGREGATE are not ES|QL commands. TIMERANGE and COUNT BY are not valid ES|QL syntax.
5In ES|QL, which command would you use to rename a field called 'src_ip' to 'source.ip' in the output?
A.RENAME src_ip AS source.ip
B.EVAL source.ip = src_ip | DROP src_ip
C.ALIAS src_ip = source.ip
D.FIELD src_ip TO source.ip
Explanation: The ES|QL `RENAME` command renames a field: `RENAME src_ip AS source.ip`. EVAL can create a new field from an expression but combined with DROP is a workaround, not the canonical approach. ALIAS and FIELD are not ES|QL commands.
6You need to limit an ES|QL result set to the top 10 rows ordered by event count descending. Which commands accomplish this?
A.STATS COUNT() BY host | SORT COUNT() DESC | LIMIT 10
B.STATS COUNT() BY host | TOP 10 BY COUNT()
C.STATS COUNT() BY host | ORDER COUNT() DESC | FETCH 10
D.STATS COUNT() BY host | HEAD 10 SORT COUNT() DESC
Explanation: ES|QL uses `SORT` to order results and `LIMIT` to restrict the number of rows. Chaining `STATS COUNT() BY host | SORT COUNT() DESC | LIMIT 10` produces the top 10 hosts by event count. TOP, ORDER, FETCH, and HEAD are not ES|QL commands.
7What is the primary purpose of a Data View (formerly Index Pattern) in Kibana?
A.To replicate index data across clusters for redundancy
B.To define which Elasticsearch indices Kibana should read and which field is the time field
C.To enforce index lifecycle management policies
D.To configure cross-cluster search credentials
Explanation: A Data View tells Kibana which indices (or data streams) to query by specifying an index pattern and designating a time field for time-based filtering. It does not replicate data, manage ILM policies, or store cross-cluster credentials.
8Which setting in a Kibana Data View allows field values to be looked up from a separate index to display human-readable labels?
A.Field aliases
B.Runtime fields
C.Field formatters
D.Scripted fields
Explanation: Field formatters in a Data View let you transform how a field's raw value is displayed — for example using a URL formatter, a date formatter, or a lookup against another index for human-readable labels. Field aliases map one field name to another. Runtime fields compute values at query time. Scripted fields (legacy) compute values but do not perform index lookups for display labels.
9In Kibana Lens, you are building a bar chart. You want the Y-axis to show the 95th percentile of response time. Which aggregation should you choose?
A.Average
B.Max
C.Percentile
D.Unique count
Explanation: The Percentile aggregation allows you to specify any percentile value (e.g., 95) for a numeric field, making it correct for a 95th-percentile response time chart. Average gives the mean, Max gives the maximum value, and Unique count (cardinality) counts distinct values — none of these represent a specific percentile.
10In Kibana Lens, what does the 'Break down by' dimension slot control in a bar chart?
A.The metric aggregation applied to the Y-axis
B.The color-coded series or stacking dimension (equivalent to a terms sub-aggregation)
C.The time field used for the X-axis
D.The filter applied before the visualization runs
Explanation: The 'Break down by' slot in Lens adds a sub-aggregation (typically Terms) that splits the chart into color-coded series or stacked segments — similar to a Split series in the legacy visualization editor. It is separate from the Y-axis metric, the X-axis time/date field, and any pre-visualization filters.

About the Elastic Certified Analyst Exam

The Elastic Certified Analyst exam validates Kibana data analysis and visualization skills. It covers Discover and data views, KQL and ESQL query language, Lens visualizations, dashboards and Canvas, Maps with geo data, and the Kibana alerting framework with rules and connectors.

Questions

60 scored questions

Time Limit

60 minutes

Passing Score

70%

Exam Fee

$200 USD per attempt (Elastic)

Elastic Certified Analyst Exam Content Outline

~20%

Kibana Discover and Data Views

Creating and managing data views, index patterns, field filtering, KQL and Lucene query syntax, saved searches, and document-level exploration.

~20%

KQL and ESQL

KQL operators (AND, OR, NOT, wildcards, ranges, nested fields), ESQL pipe syntax (FROM, WHERE, STATS BY, EVAL, SORT, LIMIT, KEEP, DROP).

~20%

Kibana Lens and Visualizations

Lens drag-and-drop interface, dimension configuration, chart types (bar, line, area, pie, donut, treemap, heatmap), TSVB time series, and metric visualizations.

~15%

Dashboards and Canvas

Building multi-panel dashboards, controls, drilldowns, time filter configuration, shared links, and Canvas for custom pixel-perfect reporting.

~10%

Kibana Maps

Geo-point and geo-shape data layers, choropleth maps, document layers, cluster layers, spatial filtering, and coordinate map basics.

~15%

Alerting and Rules

Kibana alerting framework, rule types (index threshold, ES query, metrics threshold, log threshold), connectors (email, Slack, webhook), and action groups.

How to Pass the Elastic Certified Analyst Exam

What You Need to Know

  • Passing score: 70%
  • Exam length: 60 questions
  • Time limit: 60 minutes
  • Exam fee: $200 USD per attempt

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Elastic Certified Analyst Study Tips from Top Performers

1Practice KQL daily — know AND/OR/NOT, wildcards, range syntax, and nested field queries.
2Learn ESQL pipe commands: FROM, WHERE, STATS BY, EVAL, SORT, LIMIT, KEEP, DROP, and MV_EXPAND.
3Build at least 5 different visualization types in Lens before exam day — charts, metric, heatmap, and donut.
4Practice creating dashboards with controls (options list, range slider) and drilldowns to other dashboards.
5Configure at least one index threshold and one ES query alerting rule end-to-end including connector actions.
6Know the difference between Lens and TSVB: Lens is the modern builder; TSVB is for time-series and markdown panels.

Frequently Asked Questions

What is the Elastic Certified Analyst exam?

The Elastic Certified Analyst exam validates your ability to use Kibana for data analysis and visualization. It tests Discover queries, KQL and ESQL, Lens visualizations, dashboard building, Maps, and the alerting framework — the primary analyst-facing Kibana workflows.

What is ESQL and how is it tested?

ESQL (Elasticsearch Query Language) is a pipe-based query language for analytics in Kibana 8.11+. You write queries like: FROM my-index | WHERE status == "error" | STATS count=COUNT() BY service. The exam tests FROM, WHERE, STATS BY, EVAL, SORT, LIMIT, KEEP, and DROP commands.

How is the Elastic Certified Analyst different from the Engineer exam?

The Analyst exam focuses entirely on Kibana — visualizing, querying, and alerting on data that already exists in Elasticsearch. The Engineer exam is performance-based, testing hands-on Elasticsearch administration including mappings, ingest pipelines, ILM, and cluster management.

What types of visualizations are tested?

The exam covers Lens-based visualizations (bar, line, area, pie, donut, treemap, heatmap, metric), TSVB time series, and choosing the right chart type for a given analytical question. Canvas is tested for custom layout and expression-based reporting.

What are Kibana alerting rules?

Kibana rules define conditions that trigger actions. Common rule types include index threshold (alert when aggregation crosses a value), ES query (alert on custom query results), and metrics threshold. Actions are delivered via connectors: email, Slack, PagerDuty, or webhook.