New Year Sale Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: pass65

SPLK-1003 Splunk Enterprise Certified Admin Questions and Answers

Questions 4

Which forwarder type can parse data prior to forwarding?

Options:

A.

Universal forwarder

B.

Heaviest forwarder

C.

Hyper forwarder

D.

Heavy forwarder

Buy Now
Questions 5

All search-time field extractions should be specified on which Splunk component?

Options:

A.

Deployment server

B.

Universal forwarder

C.

Indexer

D.

Search head

Buy Now
Questions 6

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

Options:

A.

Indexer

B.

Forwarder

C.

Search head

D.

Deployment server

Buy Now
Questions 7

Which Splunk component would one use to perform line breaking prior to indexing?

Options:

A.

Heavy Forwarder

B.

Universal Forwarder

C.

Search head

D.

This can only be done at the indexing layer.

Buy Now
Questions 8

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

Options:

A.

Indexer

B.

Deployer

C.

Forwarder

D.

Deployment server

Buy Now
Questions 9

A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly to the indexer. Both sets of data require the masking of raw text strings before being written to disk. What does the administrator need to do to

ensure that the masking takes place successfully?

Options:

A.

Make sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

B.

For source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

C.

Make sure that props . conf and transforms . conf are both present on the Universal Forwarder.

D.

Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Buy Now
Questions 10

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Options:

A.

admin

B.

power

C.

user

D.

splunk-system-role

Buy Now
Questions 11

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

Options:

A.

Use Local Windows host monitoring.

B.

Use Windows Remote Inputs with WMI.

C.

Use Local Windows network monitoring.

D.

Use an index with an Index Data Type of Metrics.

Buy Now
Questions 12

How often does Splunk recheck the LDAP server?

Options:

A.

Every 5 minutes

B.

Each time a user logs in

C.

Each time Splunk is restarted

D.

Varies based on LDAP_refresh setting.

Buy Now
Questions 13

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

SPLK-1003 Question 13

Options:

A.

host=server1

index=unixinfo

B.

host=server1

index=searchinfo

C.

host=searchsvr1

index=searchinfo

D.

host=unixsvr1

index=unixinfo

Buy Now
Questions 14

Which of the following enables compression for universal forwarders in outputs. conf ?

A)

SPLK-1003 Question 14

B)

SPLK-1003 Question 14

C)

SPLK-1003 Question 14

D)

SPLK-1003 Question 14

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 15

What event-processing pipelines are used to process data for indexing? (select all that apply)

Options:

A.

Typing pipeline

B.

Parsing pipeline

C.

fifo pipeline

D.

Indexing pipeline

Buy Now
Questions 16

A user recently installed an application to index NCINX access logs. After configuring the application, they realize that no data is being ingested. Which configuration file do they need to edit to ingest the access logs to ensure it remains unaffected after upgrade?

SPLK-1003 Question 16

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 17

What is the valid option for a [monitor] stanza in inputs.conf?

Options:

A.

enabled

B.

datasource

C.

server_name

D.

ignoreOlderThan

Buy Now
Questions 18

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

Options:

A.

channelTTL

B.

connectionTimeout

C.

autoLBFrequency

D.

secsInFailurelnterval

Buy Now
Questions 19

What is the default character encoding used by Splunk during the input phase?

Options:

A.

UTF-8

B.

UTF-16

C.

EBCDIC

D.

ISO 8859

Buy Now
Questions 20

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

Options:

A.

Disk

B.

CPUs

C.

Memory

D.

Network interface cards

Buy Now
Questions 21

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

Options:

A.

Indexers, search head, universal forwarders, license master

B.

Indexers, search head, deployment server, universal forwarders

C.

Indexers, search head, deployment server, license master, universal forwarder

D.

Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Buy Now
Questions 22

Which of the following statements apply to directory inputs? {select all that apply)

Options:

A.

All discovered text files are consumed.

B.

Compressed files are ignored by default

C.

Splunk recursively traverses through the directory structure.

D.

When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Buy Now
Questions 23

How is a remote monitor input distributed to forwarders?

Options:

A.

As an app.

B.

As a forward.conf file.

C.

As a monitor.conf file.

D.

As a forwarder monitor profile.

Buy Now
Questions 24

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations

found in props.conf to be validated all through the UI?

Options:

A.

Apps

B.

Search

C.

Data preview

D.

Forwarder inputs

Buy Now
Questions 25

A Splunk administrator has been tasked with developing a retention strategy to have frequently accessed data sets on SSD storage and to have older, less frequently accessed data on slower NAS storage. They have set a mount point for the NAS. Which parameter do they need to modify to set the path for the older, less frequently accessed data in indexes.conf?

Options:

A.

homepath

B.

thawedPath

C.

summaryHomePath

D.

colddeath

Buy Now
Questions 26

Local user accounts created in Splunk store passwords in which file?

Options:

A.

$ SFLUNK_HOME/etc/passwd

B.

$ SFLUNK_HOME/etc/authentication

C.

$ S?LUNK_HOME/etc/users/passwd.conf

D.

$ SPLUNK HOME/etc/users/authentication.conf

Buy Now
Questions 27

Which of the methods listed below supports muti-factor authentication?

Options:

A.

Lightweight Directory Access Protocol (LDAP)

B.

Security Assertion Markup Language (SAML)

C.

Single Sign-on (SSO)

D.

OpenlD

Buy Now
Questions 28

Which of the following Splunk components require a separate installation package?

Options:

A.

Deployment server

B.

License master

C.

Universal forwarder

D.

Heavy forwarder

Buy Now
Questions 29

In which Splunk configuration is the SEDCMD used?

Options:

A.

props, conf

B.

inputs.conf

C.

indexes.conf

D.

transforms.conf

Buy Now
Questions 30

Which of the following is a valid distributed search group?

Options:

A.

[distributedSearch:Paris] default = false servers = server1, server2

B.

[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C.

[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D.

[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Buy Now
Questions 31

Which artifact is required in the request header when creating an HTTP event?

Options:

A.

ackID

B.

Token

C.

Manifest

D.

Host name

Buy Now
Questions 32

Which layers are involved in Splunk configuration file layering? (select all that apply)

Options:

A.

App context

B.

User context

C.

Global context

D.

Forwarder context

Buy Now
Questions 33

Which forwarder is recommended by Splunk to use in a production environment?

Options:

A.

Heavy forwarder

B.

SSL forwarder

C.

Lightweight forwarder

D.

Universal forwarder

Buy Now
Questions 34

An add-on has configured field aliases for source IP address and destination IP address fields. A specific user prefers not to have those fields present in their user context. Based on the default props.conf below, which SPLUNK_HOME/etc/users/buttercup/myTA/local/props.conf stanza can be added to the user’s local context to disable the field aliases?

SPLK-1003 Question 34

SPLK-1003 Question 34

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 35

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

Options:

A.

REGEX, DEST. FORMAT

B.

REGEX. SRC_KEY, FORMAT

C.

REGEX, DEST_KEY, FORMAT

D.

REGEX, DEST_KEY FORMATTING

Buy Now
Questions 36

Which file will be matched for the following monitor stanza in inputs. conf?

[monitor: ///var/log/*/bar/*. txt]

Options:

A.

/var/log/host_460352847/temp/bar/file/csv/foo.txt

B.

/var/log/host_460352847/bar/foo.txt

C.

/var/log/host_460352847/bar/file/foo.txt

D.

/var/ log/ host_460352847/temp/bar/file/foo.txt

Buy Now
Questions 37

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

Options:

A.

License data

B.

Metricsdata

C.

Internal Splunk data

D.

Internal Windows logs

Buy Now
Questions 38

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

Options:

A.

Blacklist

B.

Whitelist

C.

They cancel each other out.

D.

Whichever is entered into the configuration first.

Buy Now
Questions 39

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

Options:

A.

Enable indexer acknowledgment.

B.

Enable forwarder acknowledgment.

C.

splunk check-integrity -index

D.

index=_internal component=ACK | stats count by host

Buy Now
Questions 40

The universal forwarder has which capabilities when sending data? (select all that apply)

Options:

A.

Sending alerts

B.

Compressing data

C.

Obfuscating/hiding data

D.

Indexer acknowledgement

Buy Now
Questions 41

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

Options:

A.

Upload option

B.

Forward option

C.

Monitor option

D.

Download option

Buy Now
Questions 42

What is the correct example to redact a plain-text password from raw events?

Options:

A.

in props.conf:

[identity]

REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

B.

in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

C.

in transforms.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

D.

in transforms.conf:

[identity]

REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Buy Now
Questions 43

When running a real-time search, search results are pulled from which Splunk component?

Options:

A.

Heavy forwarders and search peers

B.

Heavy forwarders

C.

Search heads

D.

Search peers

Buy Now
Questions 44

Which of the following are required when defining an index in indexes. conf? (select all that apply)

Options:

A.

coldPath

B.

homePath

C.

frozenPath

D.

thawedPath

Buy Now
Questions 45

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

Options:

A.

21MB

B.

28MB

C.

14MB

D.

7MB

Buy Now
Questions 46

Which setting allows the configuration of Splunk to allow events to span over more than one line?

Options:

A.

SHOULD_LINEMERGE = true

B.

BREAK_ONLY_BEFORE_DATE = true

C.

BREAK_ONLY_BEFORE =

D.

SHOULD_LINEMERGE = false

Buy Now
Questions 47

During search time, which directory of configuration files has the highest precedence?

Options:

A.

$SFLUNK_KOME/etc/system/local

B.

$SPLUNK_KCME/etc/system/default

C.

$SPLUNK_HCME/etc/apps/app1/local

D.

$SPLUNK HCME/etc/users/admin/local

Buy Now
Questions 48

What is the name of the object that stores events inside of an index?

Options:

A.

Container

B.

Bucket

C.

Data layer

D.

Indexer

Buy Now
Questions 49

In which phase do indexed extractions in props.conf occur?

Options:

A.

Inputs phase

B.

Parsing phase

C.

Indexing phase

D.

Searching phase

Buy Now
Questions 50

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

Options:

A.

SFLUNK_HOME/etc/deployment

B.

SPLUNK_HOME/etc/system/local

C.

SPLUNK_HOME/etc/system/default

D.

SPLUNK_KOME/etc/apps/deployment

Buy Now
Questions 51

Within props. conf, which stanzas are valid for data modification? (select all that apply)

Options:

A.

Host

B.

Server

C.

Source

D.

Sourcetype

Buy Now
Questions 52

A new forwarder has been installed with a manually created deploymentclient.conf.

What is the next step to enable the communication between the forwarder and the deployment server?

Options:

A.

Restart Splunk on the deployment server.

B.

Enable the deployment client in Splunk Web under Forwarder Management.

C.

Restart Splunk on the deployment client.

D.

Wait for up to the time set in the phoneHomeIntervalInSecs setting.

Buy Now
Questions 53

What is a role in Splunk? (select all that apply)

Options:

A.

A classification that determines what capabilities a user has.

B.

A classification that determines if a Splunk server can remotely control another Splunk server.

C.

A classification that determines what functions a Splunk server controls.

D.

A classification that determines what indexes a user can search.

Buy Now
Questions 54

Which Splunk configuration file is used to enable data integrity checking?

Options:

A.

props.conf

B.

global.conf

C.

indexes.conf

D.

data_integrity.conf

Buy Now
Questions 55

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?

Options:

A.

Update the user in Splunk web informing them that the results of their search may be incomplete.

B.

Repeat the search request on indexer B without informing the user.

C.

Update the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.

D.

Inform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

Buy Now
Exam Code: SPLK-1003
Exam Name: Splunk Enterprise Certified Admin
Last Update: Dec 17, 2024
Questions: 185

PDF + Testing Engine

$57.75  $164.99

Testing Engine

$43.75  $124.99
buy now SPLK-1003 testing engine

PDF (Q&A)

$36.75  $104.99
buy now SPLK-1003 pdf