Splunk Core Certified User — Question 20

Which of the following describes lookup files?

Answer options

• A. Lookup fields cannot be used in searches.
• B. Lookups contain static data available in the index.
• C. Lookups add more fields to results returned by a search.
• D. Lookups pull data at index time and add them to search results.

Correct answer: C

Explanation

The correct answer is C because lookup files indeed add extra fields to the results of a search, enhancing the information returned. Option A is incorrect as lookup fields can be used in searches, B is wrong because lookups do not contain static data in the index; they reference external data, and D is misleading since lookups operate at search time, not index time.