Elastic Stack Elastic Certified Analyst Practice Exam, Exams of Technology

Designed for Kibana and analytics users, this exam evaluates dashboard creation, Lens visualizations, anomaly detection, alerting configuration, data exploration, and building advanced searches with KQL and EQL. It assesses the ability to transform raw Elasticsearch data into actionable insights, including building reports and analytic workflows for operations, security, and observability.

Typology: Exams

2025/2026

Available from 01/06/2026

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 91

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Elastic Stack Elastic Certified Analyst
Practice Exam
**Question 1.** In Kibana Discover, which field must be selected as the time filter field when
creating a data view for timebased indices?
A) @timestamp
B) message
C) host.name
D) _id
Answer: A
Explanation: The @timestamp field is the default time field used by Kibana to filter documents
based on time ranges.
**Question 2.** When configuring a data view without a time filter, which option should you
choose?
A) “Use a custom time field”
B) “Disable time filter”
C) “Set time field to null”
D) “Make the index pattern static”
Answer: B
Explanation: Kibana provides a “Disable time filter” toggle for data views that do not contain
timebased data.
**Question 3.** Which Kibana Query Language (KQL) operator is used to exclude documents
that contain a specific term?
A) AND
B) OR
C) NOT
D) +
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b

Partial preview of the text

Download Elastic Stack Elastic Certified Analyst Practice Exam and more Exams Technology in PDF only on Docsity!

Practice Exam

Question 1. In Kibana Discover, which field must be selected as the time filter field when creating a data view for time‑based indices? A) @timestamp B) message C) host.name D) _id Answer: A Explanation: The @timestamp field is the default time field used by Kibana to filter documents based on time ranges. Question 2. When configuring a data view without a time filter, which option should you choose? A) “Use a custom time field” B) “Disable time filter” C) “Set time field to null” D) “Make the index pattern static” Answer: B Explanation: Kibana provides a “Disable time filter” toggle for data views that do not contain time‑based data. Question 3. Which Kibana Query Language (KQL) operator is used to exclude documents that contain a specific term? A) AND B) OR C) NOT D) +

Practice Exam

Answer: C Explanation: The NOT operator negates a condition, filtering out documents that match the term. Question 4. In KQL, how would you search for events where the status field is either “error” or “warning”? A) status: error && status: warning B) status: (error, warning) C) status: (error OR warning) D) status: error OR status: warning Answer: D Explanation: KQL uses the OR keyword to combine alternative values for a field. Question 5. Which Lucene syntax enables fuzzy matching with a maximum edit distance of 2? A) “error~2” B) “error~” C) “error~1” D) “error~0.8” Answer: A Explanation: The tilde followed by a number (e.g., ~2) specifies the allowed edit distance for fuzzy searches. Question 6. To create a filter that matches documents where the field bytes is greater than 1 GB, which KQL expression is correct? A) bytes > 1073741824

Practice Exam

A) To permanently add a new field to the source index B) To compute a field value at query time without reindexing C) To store scripted metric aggregations D) To replace the need for index templates Answer: B Explanation: Runtime fields are evaluated on the fly during query execution, allowing dynamic calculations without altering the underlying index. Question 10. Which of the following is NOT a valid way to define a runtime field in Kibana? A) Using painless script in the field definition UI B) Creating a stored script and referencing it C) Defining the field in the Elasticsearch mapping as “runtime” D) Adding a field via Logstash pipeline Answer: D Explanation: Logstash pipelines add fields at ingest time, not as runtime fields evaluated during search. Question 11. In Discover, after creating a saved search, which feature lets you embed that search in a dashboard? A) “Add to dashboard” button on the saved search list B) “Export as CSV” then import C) “Create visualization from search” D) “Pin to global filter” Answer: A Explanation: Saved searches can be directly added to dashboards via the “Add to dashboard” action.

Practice Exam

Question 12. Which time filter preset selects documents from the last 15 minutes? A) “now-15m to now” B) “now-15m” C) “last 15 minutes” D) “15m ago” Answer: A Explanation: Kibana’s absolute time range syntax uses “now-15m to now” to represent the last 15 minutes. Question 13. If you need to see only documents where the field user.agent.keyword contains the word “Chrome”, which KQL query is correct? A) user.agent.keyword: Chrome B) user.agent.keyword: Chrome C) user.agent.keyword: /Chrome/ D) user.agent.keyword: “Chrome” Answer: A Explanation: KQL performs exact term matching on keyword fields without wildcards. Question 14. Which Kibana feature allows you to quickly switch between relative and absolute time ranges? A) Time picker dropdown B) Index pattern selector C) Saved query panel D) Dashboard settings Answer: A

Practice Exam

C) Create a new index pattern D) Use “Split series” option Answer: A Explanation: The “Add layer” feature lets you overlay additional metrics on the same chart canvas. Question 18. To change the color of a bar series based on its value (e.g., red for > 1000), which Lens option should you use? A) “Custom palette” with “Dynamic” mode B) “Series options” → “Color rules” C) “Label formatting” → “Conditional” D) “Axis settings” → “Thresholds” Answer: B Explanation: Lens provides “Color rules” under series options to apply conditional coloring based on metric values. Question 19. When configuring a Lens line chart, which setting controls the X‑axis interval for date histograms? A) “Time scale” → “Interval” B) “Axis format” → “Date format” C) “Breakdown” → “Auto‑interval” D) “Chart style” → “Smooth lines” Answer: A Explanation: The “Time scale” interval defines how Kibana buckets dates on the X‑axis (e.g., auto, minute, hour).

Practice Exam

Question 20. Which Lens feature lets you annotate a chart with a static text note at a specific timestamp? A) “Add reference line” → “Label” B) “Add annotation” → “Text” C) “Series options” → “Tooltip” D) “Chart title” → “Subtitle” Answer: B Explanation: Lens provides an “Add annotation” tool that allows you to place textual notes at chosen points on the timeline. Question 21. In a Lens table visualization, how can you display a summary row that shows the sum of a numeric column? A) Enable “Show totals” in the table options B) Add a “Metric” layer with sum aggregation C) Use “Pivot” → “Grand total” D) Create a scripted field for the total Answer: A Explanation: The table visualization includes a “Show totals” toggle that adds a summary row with aggregations like sum. Question 22. Which of the following Lens chart types cannot display multiple Y‑axes? A) Bar chart B) Line chart C) Area chart D) Pie chart Answer: D

Practice Exam

C) Allows the user to drag the line manually D) Sets the line to a constant value defined by the user Answer: B Explanation: The “Dynamic” reference line recalculates its position according to the selected time range. Question 26. In Lens, which setting controls the tooltip display for a series? A) “Series options” → “Tooltip mode” B) “Chart style” → “Show hover” C) “Visualization options” → “Hover details” D) “Axis settings” → “Tooltip” Answer: A Explanation: The tooltip behavior is managed under “Series options” where you can enable, disable, or customize it. Question 27. Which Lens chart type is most suitable for displaying a single numeric value with a threshold indicator? A) Metric B) Gauge C) Bar D) Area Answer: B Explanation: Gauges visualize a single metric against defined thresholds, ideal for threshold indicators.

Practice Exam

Question 28. When creating a Lens visualization that uses a scripted field, what must you ensure about the field’s data type? A) It matches the aggregation you intend to use (e.g., numeric for sum) B) It is always a keyword type C) It is stored as a doc value D) It is indexed as “text” Answer: A Explanation: The scripted field’s return type must be compatible with the aggregation; numeric fields are required for sum, avg, etc. Question 29. In Lens, how can you limit a visualization to the top 5 terms of a field? A) Use “Top N” under “Break down by” options B) Apply a filter “field.keyword: *” and set size 5 C) Select “Limit” → “5” in the field configuration D) Use “Metric” → “Count” and sort descending, then set “Size” to 5 Answer: A Explanation: Lens provides a “Top N” option that automatically selects the most frequent terms up to the specified count. Question 30. Which of the following is a valid way to export a Lens visualization for reuse in another Kibana space? A) Save it as a “Saved object” and then import the JSON B) Download the SVG image and re‑upload C) Copy the URL and paste in the other space D) Use “Export as PDF” and import back Answer: A

Practice Exam

C) Cumulative sum D) Serial difference Answer: B Explanation: Moving average aggregates values over a sliding window to smooth data. Question 34. In a Classic bar visualization, how can you display the percentage contribution of each bar relative to the total? A) Use “Y‑axis” → “Show as percent of total” B) Apply “Terms” aggregation with “Size” set to 100% C) Add a “Metric” aggregation of type “Percentile” D) Use “Data label” → “Show percent” Answer: A Explanation: The Y‑axis option “Show as percent of total” converts absolute values into percentages. Question 35. Which visualization type is specifically designed to display the distribution of a field’s values as a word cloud? A) Tag Cloud B) Heatmap C) Pie chart D) Data table Answer: A Explanation: Tag Cloud visualizations render terms with size proportional to their count, forming a word cloud.

Practice Exam

Question 36. When building a Metric visualization that shows the average response time, which aggregation should be selected? A) Average B) Max C) Sum D) Cardinality Answer: A Explanation: The “Average” aggregation computes the mean of the numeric field, suitable for response time. Question 37. In a Gauge visualization, what does the “Color schema” setting control? A) The background color of the gauge only B) The color of the needle based on thresholds C) The fill color ranges (e.g., green, yellow, red) according to value intervals D) The legend colors for multiple gauges Answer: C Explanation: The color schema defines colored bands that correspond to value ranges, providing visual alerts. Question 38. Which of the following is NOT a valid metric type for a TSVB “Metric” panel? A) Count B) Max C) Percentile rank D) Histogram bucket count Answer: D

Practice Exam

C) “Hide zero values” under “Advanced” settings D) “Exclude nulls” in the aggregation editor Answer: B Explanation: The “Filter out empty buckets” option removes rows that have no documents. Question 42. In Elastic Maps, which layer type is used to display point data from a geo‑point field? A) Vector tile layer B) Heatmap layer C) Region layer D) Point layer Answer: D Explanation: Point layers render individual geo‑point documents as markers on the map. Question 43. To visualize a choropleth map showing the number of log events per country, which Elastic Maps feature must you configure? A) Add a “Region” layer with a terms aggregation on “geo.country_name” B) Use a “Heatmap” layer with intensity based on count C) Create a “Vector tile” layer and apply a style rule for count D) Add a “Tile map” layer with basemap shading Answer: A Explanation: A Region layer aggregates documents by a geographic field (e.g., country) and colors regions based on the aggregation result. Question 44. Which Kibana feature enables you to restrict a dashboard’s visibility to a specific group of users?

Practice Exam

A) Spaces B) Index patterns C) Role‑based field level security D) Saved objects permissions Answer: A Explanation: Spaces provide isolated containers for dashboards, visualizations, and other objects, with access controlled via Kibana roles. Question 45. When adding an input control to a dashboard, which type of control can be used to let users select a range of numeric values? A) Option list B) Range slider C) Text input D) Date picker Answer: B Explanation: The range slider control allows users to define a numeric interval for filtering. Question 46. How can you generate a permalink that captures a dashboard’s current query, time range, and filters? A) Click “Share” → “Permalink” → “Copy link” B) Export the dashboard as JSON and host it C) Use the “Snapshot” feature in the browser D) Enable “URL state preservation” in settings Answer: A Explanation: The Share → Permalink option creates a URL that encodes the dashboard’s state.

Practice Exam

Answer: D Explanation: Categorization jobs parse text fields to create categories that can be monitored for anomalies. Question 50. What does the “Anomaly score” represent in an ML job’s results? A) The probability that the data point is an outlier (0‑100) B) The absolute deviation from the mean C) A normalized value (0‑100) indicating the severity of the anomaly D) The count of similar anomalies in the last hour Answer: C Explanation: The anomaly score is a normalized metric ranging from 0 to 100, where higher values indicate more severe anomalies. Question 51. Which alerting condition would you use to trigger when the average CPU usage exceeds 90 % for 5 minutes? A) “Threshold” condition with “Avg” aggregation, threshold > 90, “For the last 5 minutes” B) “Metric” condition with “Max” aggregation, threshold > 90, “Over 5 minutes” C) “Log threshold” with query “cpu > 90” and “Time window” 5 min D) “Watcher” with “scripted condition” checking avg over 5 min Answer: A Explanation: The built‑in “Threshold” alert condition can evaluate the average of a metric over a time window and trigger when it exceeds a defined limit. Question 52. In Kibana, which feature allows you to define an alert that runs a custom Elasticsearch query and notifies when the query returns results? A) Watcher (Alerting) with “query” condition

Practice Exam

B) ML anomaly detection job C) Transform with “alert” option D) Data view filter with “auto‑alert” toggle Answer: A Explanation: Watcher supports a “query” condition that executes an Elasticsearch query and fires an alert if any hits are returned. Question 53. When creating a Transform that aggregates sales per customer_id, which aggregation type is appropriate for the total sales amount? A) Sum aggregation on sales_amount B) Max aggregation on sales_amount C) Avg aggregation on sales_amount D) Cardinality aggregation on sales_amount Answer: A Explanation: Summing the sales_amount field per customer_id produces the total sales per customer. Question 54. Which setting in a Transform determines whether the output index is updated incrementally or rebuilt from scratch each run? A) “Frequency” B) “Pivot” mode (incremental vs. full) C) “Sync” mode (continuous vs. batch) D) “Destination index” option “Overwrite” Answer: B Explanation: The Transform’s pivot mode can be set to “incremental” (updates only new data) or “full” (rebuilds the entire output).