Splunk Core Certified Power User 2026

Cisco acquired Splunk. The certifications stayed.

Cisco completed its $28 billion acquisition of Splunk in March 2024 — the largest acquisition in Cisco’s history and a clear signal of how central SIEM and security operations data platforms have become to enterprise security architecture. The acquisition raised immediate questions for Splunk certification holders and candidates: would the SPLK-* exam codes survive, would Splunk become absorbed into Cisco’s DevNet and CertPro certification tracks, and would existing credentials become obsolete?

The answer in 2026 is: the Splunk certification programme has been maintained largely intact under the Cisco umbrella. The SPLK-1001 (Core Certified User), SPLK-1002 (Core Certified Power User), SPLK-1003 (Core Certified Advanced Power User), SPLK-2001 (Enterprise Certified Admin), and the specialist ES and ITSI certifications all remain valid and continue to be delivered via Pearson VUE using the original exam codes. Cisco has begun integrating Splunk expertise into its broader security certification narrative — Cisco’s Certified CyberOps Associate and Professional tracks now reference Splunk as the dominant SIEM platform in enterprise environments — but the Splunk-branded certifications are not being retired. For hiring managers in 2026, “Splunk Power User” and “SPLK-1002” are still the language used in security operations job postings, not “Cisco Certified Splunk Practitioner.”

What the Cisco acquisition has changed is distribution and training availability. Cisco Learning & Certifications now co-promotes Splunk training alongside its own Security certifications, and Cisco Learning Credits (CLCs) can be applied toward Splunk training purchases through authorised training partners. For organisations that already have Cisco enterprise agreements with training budget, this means Splunk preparation courses are more accessible than before the acquisition — a practical benefit for IT teams with Cisco-dominant infrastructure who want to upskill on Splunk without a separate purchasing relationship.

What SPLK-1002 actually tests

The Power User exam sits one level above the Core Certified User (SPLK-1001) in Splunk’s certification hierarchy. Where the User exam tests basic search, navigation, and simple SPL commands, the Power User exam tests applied SPL proficiency — the ability to construct searches that answer real operational questions from log data, not just retrieve events. The official exam blueprint organises content into five primary domains.

Domain 1: Search Processing Language (SPL) Fundamentals and Search Modes

The foundation of every Splunk interaction is SPL, the proprietary search language that transforms raw log data into structured results. Power User candidates are expected to write SPL searches that go beyond simple keyword lookups and field-value pairs.

Search modes (Fast, Smart, Verbose): the three search modes control how much field discovery and event rendering Splunk performs during a search. Fast mode disables field discovery and event sampling for maximum throughput on large datasets; Verbose mode discovers all fields and renders all events for interactive exploration; Smart mode (the default) adapts based on whether the search uses transforming commands. Power User candidates must understand which mode to select for operational searches versus exploratory investigations to avoid unnecessary processing overhead.
Search pipeline syntax: SPL uses a Unix-pipe metaphor where each command in a search pipeline receives the output of the previous command as its input. Understanding how data flows through the pipeline — and how to order commands to reduce the data volume passing through each stage — is a core skill the exam tests through scenario questions presenting inefficient searches and asking candidates to identify the performance problem.
Time range and time modifiers: Splunk time handling is one of the most commonly misunderstood aspects of the platform. The exam tests the distinction between the UI time picker (which filters events at search time) and SPL time functions like earliest, latest, now(), and relative_time() (which manipulate timestamps within the pipeline). Understanding epoch time arithmetic and the strftime / strptime functions is required for Power User level.

Domain 2: Fields, Lookups, and Knowledge Objects

Splunk’s value comes from turning unstructured log text into structured fields that can be filtered, grouped, and correlated. Power User candidates must understand every mechanism by which fields are created and enriched.

Field extraction (rex, erex): the rex command extracts fields at search time using named capture groups in regular expressions. The exam tests candidates’ ability to write a rex command that extracts a specific value from a raw event string and stores it as a new field — a common task when working with log formats that are not natively indexed with the target fields. erex (example-based rex) generates a regex from example values; the exam tests when to use each approach.
Calculated fields: calculated fields are persistent field transformations defined in a knowledge object rather than repeated in every search. They apply SPL eval expressions to create derived fields automatically whenever a matching sourcetype is searched. The exam tests how calculated fields differ from eval commands in ad-hoc searches — calculated fields persist across sessions and users; eval results are ephemeral unless saved.
Field aliases: field aliases normalise different field names from different sourcetypes to a single canonical name, enabling unified searches across heterogeneous data sources without renaming fields at index time. The exam tests the difference between a field alias (a non-destructive pointer) and a field extraction (which creates a new field value) and when each is appropriate.
Lookups: lookups enrich search results by joining events with external data tables — CSV files, KV Store collections, or external lookup scripts. The exam covers the full lookup lifecycle: defining a lookup table file, defining a lookup definition, creating an automatic lookup that fires on every search of a given sourcetype, and writing SPL lookup and inputlookup commands. The exam also tests the difference between automatic lookups (defined as a knowledge object, fire transparently) and ad-hoc lookups (invoked explicitly in the search pipeline).
Tags and event types: tags assign semantic labels to field-value pairs; event types categorise events matching a specific search condition. Together they enable normalised, intent-driven searches like tag=authentication tag=failure across any sourcetype that has been tagged appropriately. Power User candidates must understand how tags and event types interact with the Common Information Model (CIM) — Splunk’s data normalisation framework that underpins Enterprise Security correlation searches.

Domain 3: Transforming Commands and Statistical Operations

Transforming commands convert event lists into statistical tables — the step that turns raw log data into answers. Power User candidates must be fluent with the full set of transforming commands, not just stats.

stats: the primary aggregation command. The exam tests the full range of stats functions: count, dc (distinct count), sum, avg, min, max, list, values, earliest, latest, and range. Candidates must understand when to group with by and how multi-value list differs from deduplicated values in security investigation contexts (where seeing every occurrence matters).
timechart: produces a time-series statistical table optimised for visualisation as a line or area chart. The exam tests the span argument (bucket width), the limit argument (how many distinct series to plot before collapsing to “OTHER”), and the useother=f option for suppressing the OTHER bucket in dashboards.
chart: produces a two-dimensional table with one column per distinct value of the over-clause field. The exam tests when to use chart versus stats (chart produces a pivot-style output; stats produces a flat row-per-group output) and how the over and by clauses define the table dimensions.
eval: the most versatile SPL command — a complete expression language for creating and transforming fields in the pipeline. The exam tests eval conditional logic (if, case, match), string functions (substr, len, lower, split, mvjoin), mathematical functions, and coercion functions (tostring, tonumber). The most exam-relevant eval pattern for Power User level is using eval with case() to classify events into categories for downstream stats by grouping.
transaction: groups related events into a single transaction record based on shared field values, with startswith / endswith conditions and maxspan / maxpause time constraints. The exam tests when transaction is appropriate (session reconstruction, flow analysis) versus when stats is more efficient (simple counting and aggregation do not need transaction overhead).

Domain 4: Reports, Alerts, and Scheduled Searches

Knowledge objects — saved searches, reports, and alerts — are the mechanisms by which Power Users turn one-off SPL searches into persistent operational tools. The exam tests the full configuration workflow for each type.

Scheduled reports: a saved search configured to run on a cron schedule and deliver its results by email, to a dashboard, or to an external system via webhook. The exam tests scheduling granularity, the difference between sending “results as attachment” versus “inline results” in email delivery, and how to configure acceleration for scheduled searches that run frequently on large time windows.
Alerts: saved searches configured to trigger an action when the search results meet a threshold condition. The exam covers all alert trigger conditions (number of results, custom condition, rolling window), alert suppression (preventing duplicate alerts for the same condition over a time window), and the standard alert actions: email, webhook, Splunk Mobile, run a script, and send to a lookup. The exam also tests the distinction between a real-time alert (continuously running, very low latency, high resource cost) and a scheduled alert (runs at intervals, lower resource cost).
Summary indexing: a technique where a scheduled search writes aggregated results into a separate Splunk index at regular intervals, allowing later searches to query the summary index instead of the full raw data. The exam tests the collect command (writes results to a summary index) and when summary indexing is appropriate for accelerating frequently-used expensive searches.

Domain 5: Visualisations and Dashboards

Dashboards are the primary interface through which Splunk results reach stakeholders who do not write SPL. Power User candidates must understand both the SPL commands that produce visualisable data and the dashboard configuration that renders it.

Chart types and their data requirements: each Splunk visualisation type requires a specific output format from the preceding SPL pipeline. Bar and column charts require a chart or stats table with categorical grouping; line and area charts require a timechart output or a time-bucketed chart; single-value panels require a one-row, one-column result; maps require latitude/longitude fields or a iplocation lookup. The exam tests candidates’ ability to identify why a visualisation is not rendering correctly given the shape of the underlying search results.
Drilldown: dashboard panels can be configured so that clicking on a chart segment or table cell launches a linked search or navigates to a secondary dashboard panel, passing token values from the clicked element. Power User candidates must understand how to define drilldown targets and how tokens (variables in dashboard XML) are set by panel interactions and passed to dependent panels.
Dashboard tokens and dynamic inputs: time pickers, dropdown menus, radio buttons, and text inputs inject user-selected values as tokens into dashboard panel searches, enabling dynamic dashboards that filter all panels simultaneously from a single control. The exam tests token syntax ( $token_name$ ), default token values, and how to reference a token in an SPL query string.

Exam format: 57 questions, 60 minutes, Pearson VUE

The SPLK-1002 exam is a fixed-format, proctored assessment delivered exclusively through Pearson VUE — either at an authorised test centre or via online remote proctoring. The exam consists of 57 questions, a mix of single-answer multiple choice and multiple-response questions (where two or more answers must be selected). The pass mark is a scaled score of 700 out of 1000. Splunk uses scaled scoring, meaning the raw number of correct answers required to achieve 700 varies slightly between exam form versions based on statistical calibration — candidates should assume a pass threshold of approximately 70–72% of questions correct.

The exam registration fee is $130 USD. Vouchers purchased through Splunk’s authorised training partner network sometimes include an exam attempt or a discount voucher. Retake policy: there is a 14-day wait period before a failed candidate may reattempt. No limit on the total number of attempts. Results are available immediately upon submission of the exam.

The most common SPLK-1002 failure pattern is over-confidence in SPL syntax recall and under-investment in knowledge object configuration scenarios. Candidates who use Splunk daily for searching and investigation often score well on Domain 3 (transforming commands) but underperform on Domains 2 and 4 because they have never actually configured a lookup definition, a calculated field, or an alert suppression window — those tasks fall to admins or senior engineers in many SOC environments. Hands-on lab time configuring knowledge objects in a Splunk environment is the highest-value preparation activity for Power User candidates with search-but-not-admin experience.

Splunk Power User in the job market: what it signals in 2026

Splunk holds approximately 30% of the global SIEM market by revenue, with particular dominance in large enterprise and government security operations centre (SOC) environments. Despite competition from Microsoft Sentinel, IBM QRadar, and newer cloud-native SIEM platforms, Splunk remains the default SIEM platform at Fortune 500 companies, financial services firms, and federal agencies — environments where IT security professionals are most likely to encounter it in their daily work. The Power User certification is the credential that distinguishes analysts who can use Splunk from analysts who can build with Splunk.

SOC Analyst (Tier 2 and above): tier 1 SOC analysts triage alerts; tier 2 analysts investigate them and build the searches and dashboards that make tier 1 triage more effective. The Power User cert is the primary signal that a candidate has the SPL depth to build detection logic, tune alert thresholds, and design investigation workflows rather than simply consuming output that someone else built. In job postings for tier 2 SOC Analyst and Threat Analyst roles at organisations with Splunk deployments, SPLK-1002 appears as a preferred or required qualification at approximately 40% of listed positions.
Security Engineer: security engineers who build and maintain Splunk infrastructure — writing correlation searches for Splunk Enterprise Security (ES), onboarding new data sources, maintaining CIM compliance across sourcetypes — are expected to hold Power User certification as a baseline, with SPLK-2001 (Enterprise Certified Admin) as the next credential in the progression path. Salary data for Security Engineers with Splunk Power User certification in the US ranges from $95,000 to $135,000 annually in 2026, reflecting the combination of security domain knowledge and platform-specific technical depth the role requires.
IT Operations Engineer: Splunk’s use case extends beyond security — IT operations teams use it for infrastructure monitoring, application performance observability, and incident response dashboards. Power User certification in an IT ops context signals the ability to build the operational dashboards and scheduled reports that make Splunk the “single pane of glass” infrastructure teams depend on. IT Operations Engineers and SREs with Splunk Power User certification earn $90,000–$125,000 annually in the US.
Complement to security certifications: SPLK-1002 is increasingly paired with CompTIA CySA+ (CS0-003), which covers the broader threat detection and incident response methodology, and with Splunk Enterprise Security Certified Admin for practitioners in pure Splunk ES environments. For candidates pursuing a CISSP or CISM track, Power User signals platform-level technical competence that complements the policy-and-management focus of those exams. The combination of CySA+ and Splunk Power User effectively covers both the “why” (threat detection methodology) and the “how” (SPL implementation) of security operations analytics work.

The Splunk certification ladder: where Power User fits

Splunk’s certification programme has three practitioner tracks (Core, Enterprise Admin, and Enterprise Architect) and two specialist tracks (Enterprise Security and ITSI). Power User sits at the intermediate level of the Core track, between the entry-level User cert and the advanced-level Core Certified Advanced Power User.

SPLK-1001 (Core Certified User) is the entry level: basic searching, using the Search app, saving searches, and building simple dashboards. Candidates with any hands-on Splunk exposure typically find SPLK-1001 straightforward. It is the recommended but unenforced prerequisite for Power User.

SPLK-1002 (Core Certified Power User) — this exam — tests applied SPL, knowledge objects, and dashboard construction. It is the credential that most SOC and IT ops job descriptions reference when they specify Splunk experience. For the majority of Splunk-using practitioners who are not platform administrators, Power User is the target destination rather than a stepping stone.

SPLK-1003 (Core Certified Advanced Power User) tests advanced SPL topics: subsearches, tstats for accelerated data model queries, the Common Information Model (CIM), data model acceleration, and advanced dashboard design patterns. It is the natural next step for Power Users who need to work directly with CIM-compliant data models or build highly optimised searches against large data volumes. In Enterprise Security deployments, SPLK-1003 is increasingly expected of the engineers who maintain and tune ES correlation searches.

SPLK-2001 (Enterprise Certified Admin) covers the platform administration layer: index management, forwarder configuration, deployment server, user role management, and distributed search architecture. It is a separate track from Core and targets system administrators rather than analysts or engineers. Many organisations expect their Splunk administrators to hold both Power User and Admin certifications, since effective administration requires understanding how users and their knowledge objects interact with the platform configuration.

Preparing for SPLK-1002: what works

Splunk offers an official preparation course, “Splunk Power User,” as a two-day instructor-led training (ILT) or a self-paced e-learning option through the Splunk Education portal. The course covers all five exam domains with hands-on lab exercises in a Splunk lab environment. For candidates without prior SPL experience, the official course is the fastest path to exam readiness because the lab exercises build the hands-on knowledge object configuration experience that the exam tests heavily.

For candidates with existing Splunk search experience but limited knowledge object configuration exposure — the most common profile of a tier 2 SOC analyst — the most efficient preparation strategy is targeted lab work on the specific knowledge object types covered in Domain 2 and Domain 4. Splunk provides a free 60-day trial of Splunk Enterprise with sample data sets, and the Splunk Boss of the SOC (BOTS) dataset (a realistic simulated incident investigation dataset) is freely available for download and provides excellent scenario-based practice for the real-world search scenarios the exam mirrors.

Splunk’s free online training portal (Splunk Education) includes the “Introduction to Splunk” and “Using Fields” courses that directly cover SPLK-1001 and early SPLK-1002 domain material. The paid Power User course ($500 USD for e-learning) adds knowledge objects, scheduled searches, and dashboard configuration labs. Third-party practice exam providers offer question banks for SPLK-1002 that are reasonably representative of the exam’s scenario-based question style.

Preparation tip

The most-missed question type on SPLK-1002 involves lookup configuration: specifically, understanding the difference between a lookup table file, a lookup definition, and an automatic lookup, and knowing the correct order of steps to configure a working automatic lookup. Walk through this workflow at least twice in a lab environment — create a CSV, upload it as a table file, define the lookup definition with input/output fields, and configure an automatic lookup tied to a sourcetype. The exam will present a scenario where one of these steps is missing or mis-configured and ask you to identify the problem.

Recommended path: User before Power User

While SPLK-1001 (Core Certified User) is not a hard prerequisite for SPLK-1002, candidates who attempt Power User without prior Splunk experience consistently report that the exam is harder than expected. Splunk’s own recommendation is to complete the User-level training first. Candidates can register directly for either exam via Splunk’s certification page or through Pearson VUE. Splunk Education training units (ETUs) can be used to offset course fees if purchased in bulk through a Splunk training subscription.

Sharpen your security and cloud skills with free practice questions on CertQuests — CompTIA, AWS, Azure, and more.

Browse All Certifications →