Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Splunk Cloud Certified Admin Practice Questions

Pass your Splunk Cloud Certified Admin (SPLK-1005) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

Which statement about port 9997 in a Splunk Cloud forwarder deployment is most accurate?

A
B
C
D
to track
Same family resources

Explore More Splunk Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

Splunk Certified Administrator

Practice Questions

Splunk Certified Data Analyst

Practice Questions

Splunk Core Certified Power User

Practice Questions

Splunk Core Certified User

Practice Questions

Splunk Certified Cybersecurity Defense Analyst (SPLK-5001)

Practice Questions

Splunk Certified Cybersecurity Defense Architect (SPLK-5003)

Practice Questions
2026 Statistics

Key Facts: Splunk Cloud Certified Admin Exam

60

Official Questions

Splunk SPLK-1005 blueprint

75 min

Exam Window

Includes exam agreement

700/1000

Passing Score

Splunk exam page

$130

Exam Fee

Splunk / Pearson VUE

Power User

Prerequisite

Official Cloud Admin track

13

Blueprint Domains

Official SPLK-1005 blueprint

SPLK-1005 is a 60-question, 75-minute Pearson VUE exam scored on a 1000-point scale with a minimum passing score of 700. The blueprint spans 13 domains, weighted most heavily on Getting Data in Cloud and Forwarder Management at 15% each, plus Network/Other Inputs, Parsing Phase, and Manipulating Raw Data at 10% each. Splunk Core Certified Power User is the prerequisite. Splunk recommends the Splunk Cloud Administration course for net-new admins and Transitioning to Splunk Cloud for experienced Enterprise admins.

Sample Splunk Cloud Certified Admin Practice Questions

Try these sample questions to test your Splunk Cloud Certified Admin exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1Which statement best describes the operational split between Splunk and the customer in a Splunk Cloud Platform deployment?
A.The customer manages the OS and indexer hardware while Splunk only sells the license
B.Splunk operates the underlying infrastructure, indexers, and search heads while the customer manages data onboarding, knowledge objects, and users
C.The customer must run their own indexer cluster and Splunk operates only the search heads
D.Splunk manages everything including dashboards, alerts, and user roles for the customer
Explanation: In Splunk Cloud Platform, Splunk runs the underlying infrastructure (indexers, search heads, network, OS patching, capacity). The customer is responsible for what flows through that platform: data inputs, indexes used for retention, knowledge objects, users, roles, and apps installed in their stack.
2Which two Splunk Cloud Platform experiences exist that an admin should distinguish between when configuring data inputs and apps?
A.Classic Experience and Victoria Experience
B.Lite Experience and Pro Experience
C.Free Experience and Premium Experience
D.Indexer Experience and Search Head Experience
Explanation: Splunk Cloud Platform runs in two operating experiences: the Classic Experience and the newer Victoria Experience. Some admin tasks (such as Self-Service App Install support, IDM availability, and certain ACS endpoints) differ between the two, so admins should know which experience their stack is on.
3A new admin migrating from Splunk Enterprise asks why they cannot SSH into the indexer to inspect bucket directories on Splunk Cloud Platform. Which is the best explanation?
A.SSH is enabled but only on weekends for maintenance
B.Splunk Cloud Platform is a managed service; Splunk operates indexers and search heads, and direct OS or filesystem access is not provided to customers
C.SSH access is granted only to users with the admin_all_objects capability
D.SSH is available through the Monitoring Console once enabled
Explanation: Splunk Cloud Platform is a managed SaaS offering. Customers do not get OS-level or filesystem access to indexers or search heads. Configuration is done through Splunk Web, REST endpoints, the Admin Config Service (ACS) API, or supported app upload paths.
4Which capability is generally available in Splunk Cloud Platform that is NOT a feature of Splunk Enterprise on its own?
A.btool
B.props.conf and transforms.conf
C.Splunk-managed infrastructure with capacity expansion handled by Splunk
D.REST API for searches
Explanation: The defining difference is that Splunk Cloud Platform is operated by Splunk: capacity, patching, upgrades, and infrastructure scaling are handled by Splunk. btool, props/transforms, and the REST API exist in both products.
5Which Splunk Cloud Platform component is provided by Splunk for inbound data collection from cloud sources such as AWS, GCP, Azure, and SaaS APIs without running a heavy forwarder in the customer environment?
A.Splunk Universal Forwarder
B.Splunk Inputs Data Manager (IDM)
C.Splunk Web on the search head
D.Splunk Enterprise Security
Explanation: Splunk Cloud Platform provides the Inputs Data Manager (IDM), a Splunk-managed component used to host modular inputs and pull data from cloud APIs (AWS, Azure, GCP, SaaS). Customers do not need to run their own heavy forwarder for those modular inputs.
6An admin wants to create a new index in Splunk Cloud Platform. Which is the recommended supported method?
A.SSH into the indexer and edit indexes.conf directly
B.Use Splunk Web Settings > Indexes, the indexes REST endpoint, or the ACS API
C.Submit a ticket to Splunk Support for every new index
D.Edit $SPLUNK_HOME/etc/system/local/indexes.conf on the search head
Explanation: In Splunk Cloud Platform, customers do not have filesystem access to indexers. Index creation is done through Splunk Web (Settings > Indexes), the data/indexes REST endpoint, or the Admin Config Service (ACS) API. Tickets are not required for normal index creation.
7Which Splunk Cloud Platform setting most directly controls how long event data remains searchable in a given index before it is removed?
A.maxTotalDataSizeMB on indexes.conf only
B.frozenTimePeriodInSecs on the index, expressed in seconds
C.maxHotBuckets
D.homePath_maxDataSizeMB
Explanation: frozenTimePeriodInSecs is the time-based retention setting; once a bucket's newest event passes this age, the bucket rolls to frozen and is deleted (in Cloud, by default frozen means deletion). Size-based settings cap storage but do not directly express the desired retention window.
8Which command can a Splunk Cloud admin use through Splunk Web to selectively remove events from an index that match a search, without deleting the entire index?
A.| clean eventdata
B.| delete (used with the can_delete role)
C.splunk stop indexer
D.rm -rf in the index hot bucket
Explanation: The | delete search command marks events as unsearchable. It requires the can_delete role (which is intentionally not assigned to admin by default). It is the supported way in Splunk Cloud to remove specific events. The | clean command is CLI-only and unavailable to Cloud customers.
9An admin needs to monitor daily indexing volume against the licensed Splunk Cloud allowance. Which built-in tool is the most appropriate first stop?
A.btool list
B.The Cloud Monitoring Console (CMC) app and the License Usage Report View
C.splunk show license-violation
D.The Splunk Web Search & Reporting > Live Tail tab
Explanation: The Cloud Monitoring Console (CMC) is the Splunk-supplied app for visibility into a Splunk Cloud Platform stack and includes license and ingest dashboards. The License Usage Report View also surfaces license usage trends.
10When deleting an index in Splunk Cloud Platform via Splunk Web, what happens to the data in that index?
A.It is moved to a thawed directory for later restore
B.It is permanently deleted; there is no automatic frozen archive in Splunk Cloud
C.It is archived to the customer's S3 bucket automatically
D.It is preserved for 30 days as a recycle bin entry
Explanation: Removing an index in Splunk Cloud Platform deletes its data. There is no built-in frozen archive path the customer can later thaw from, so this is a destructive operation that should be confirmed before being executed.

About the Splunk Cloud Certified Admin Exam

The Splunk Cloud Certified Admin (SPLK-1005) exam validates the ability to administer Splunk Cloud Platform, including data onboarding, forwarder fleet management, indexes, authentication and authorization, configuration files, parsing and transformations, app management, and working with Splunk Cloud Support. It is the professional-level admin certification in the Splunk Cloud track and requires the Splunk Core Certified Power User prerequisite.

Assessment

60 multiple-choice questions

Time Limit

75 minutes

Passing Score

700/1000

Exam Fee

$130 USD (Splunk / Pearson VUE)

Splunk Cloud Certified Admin Exam Content Outline

5%

Splunk Cloud Overview

Describe Splunk Cloud topology, the admin's responsibilities on a managed platform, differences from Splunk Enterprise, and the distinction between Self-Service Cloud and Managed Cloud.

5%

Index Management

Define and create indexes through Splunk Web, REST, or the ACS API. Delete events using the can_delete role. Monitor indexing activity in the Cloud Monitoring Console and License Usage Report View.

5%

User Authentication and Authorization

Administer Splunk roles and capabilities. Integrate Splunk Cloud with LDAP, Active Directory, or SAML, with SAML SSO as the recommended enterprise pattern and IdP group-to-role mapping.

5%

Splunk Configuration Files

Review configuration file precedence, default vs local directories, and the boundary between index-time and search-time processing on customer-managed Splunk components.

15%

Getting Data in Cloud

Use the Splunk Cloud data input process, choose the right forwarder type, install the Universal Forwarder Credentials Package, configure forwarder-to-Cloud connections, and use IDM-hosted modular inputs and Splunk Connect for Syslog (SC4S) for scaled syslog ingestion.

15%

Forwarder Management

Run a customer-managed Splunk Deployment Server, build deployment-apps under $SPLUNK_HOME/etc/deployment-apps, define server classes in serverclass.conf, and monitor forwarders via Forwarder Management and _internal phonehome events.

5%

Monitor Inputs

Create file and directory monitor inputs, use allowlist/denylist filters, override sourcetype and host, manage fishbucket and crcSalt behavior, and apply optional monitor settings for first-time ingestion.

10%

Network and Other Inputs

Configure [tcp://] and [udp://] inputs, build basic scripted inputs with [script://] and interval, identify Windows input types (WinEventLog, WinHostMon, performance counters), and ingest token-authenticated events with HEC including indexer acknowledgement.

5%

Fine-tuning Inputs

Understand default input-phase processing, force sourcetype with the input attribute, set CHARSET for non-ASCII data, and reason about pipeline behavior before parsing begins.

10%

Parsing Phase and Data Preview

Tune LINE_BREAKER and SHOULD_LINEMERGE, control timestamps with TIME_PREFIX, TIME_FORMAT, and MAX_TIMESTAMP_LOOKAHEAD, manage time zones, and validate parsing using Splunk Web Data Preview before deploying changes.

10%

Manipulating Raw Data

Define transformations in props.conf and transforms.conf, mask sensitive data with SEDCMD at index time, route events using DEST_KEY = MetaData:Sourcetype or _MetaData:Index, and drop unwanted events using DEST_KEY = queue and FORMAT = nullQueue on a heavy forwarder.

5%

Installing and Managing Apps

Install Splunkbase apps via Self-Service App Install, upload private apps that pass Splunk AppInspect vetting, and manage app lifecycles through Splunk Web and the ACS API rather than direct filesystem access.

5%

Working with Splunk Cloud Support

Isolate problems before contacting support, gather sids, Job Inspector output, sample events, and recent change context, and file cases through the Splunk Customer Support Portal with clear scope and impact.

How to Pass the Splunk Cloud Certified Admin Exam

What You Need to Know

  • Passing score: 700/1000
  • Assessment: 60 multiple-choice questions
  • Time limit: 75 minutes
  • Exam fee: $130 USD

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Splunk Cloud Certified Admin Study Tips from Top Performers

1Spend the most time on Getting Data in Cloud and Forwarder Management because each carries 15% of the blueprint.
2Practice with a real Splunk Cloud free trial: install the Universal Forwarder Credentials Package, send data with HEC, and confirm via _internal that ingestion is healthy.
3Build a small SC4S lab and prove that syslog reaches Splunk Cloud, because raw UDP/514 on the Splunk Cloud indexer tier is not the supported pattern.
4Know the inputs.conf, outputs.conf, deploymentclient.conf, props.conf, and transforms.conf attributes that the blueprint repeatedly tests.
5Memorize the difference between Self-Service App Install, Splunkbase vetted apps, and private apps that must pass AppInspect.
6Treat parsing problems as Data Preview problems: tune LINE_BREAKER, SHOULD_LINEMERGE, TIME_PREFIX, TIME_FORMAT, and MAX_TIMESTAMP_LOOKAHEAD against sample events.

Frequently Asked Questions

How many questions are on the Splunk Cloud Certified Admin (SPLK-1005) exam?

Splunk's official blueprint and exam page list 60 multiple-choice questions for SPLK-1005. The total exam window is 75 minutes, and Splunk notes that the total includes 3 minutes to review the exam agreement.

What is the passing score for SPLK-1005?

Splunk publishes a minimum scaled passing score of 700 out of 1000 for the Splunk Cloud Certified Admin exam. Plan study time so you can answer comfortably across all 13 blueprint domains rather than relying on weak performance in any one area.

What is the prerequisite for SPLK-1005?

The Splunk Core Certified Power User credential is the official prerequisite for the Splunk Cloud Certified Admin track. Splunk also recommends the Splunk Cloud Administration course for net-new admins or Transitioning to Splunk Cloud for experienced Enterprise admins.

Which topics matter most on SPLK-1005?

Two domains lead the blueprint at 15% each: Getting Data in Cloud and Forwarder Management. Three more carry 10% each: Network and Other Inputs, Parsing Phase and Data Preview, and Manipulating Raw Data. Together these five domains cover 60% of the exam.

How long should I study for SPLK-1005?

Most candidates need around 40 to 60 hours of focused review after meeting the Power User prerequisite. The time should include hands-on work in Splunk Cloud Web, configuration of forwarders against a Cloud receiver, and timed practice questions across all blueprint domains.

What changed in Splunk certification policy in 2026?

Splunk published program-wide certification changes effective March 1, 2026. The update changed recertification handling and removed coursework-based recertification options, so candidates should review the latest Splunk certification policy before planning renewals.