Summer Sale- Special Discount Limited Time 65% Offer - Ends in 0d 00h 00m 00s - Coupon code: netdisc

Splunk SPLK-1003 Splunk Enterprise Certified Admin Exam Practice Test

Page: 1 / 20
Total 196 questions

Splunk Enterprise Certified Admin Questions and Answers

Question 1

Which Splunk forwarder has a built-in license?

Options:

A.

Light forwarder

B.

Heavy forwarder

C.

Universal forwarder

D.

Cloud forwarder

Question 2

Which of the following is a benefit of distributed search?

Options:

A.

Peers run search in sequence.

B.

Peers run search in parallel.

C.

Resilience from indexer failure.

D.

Resilience from search head failure.

Question 3

Which of the following statements describes how distributed search works?

Options:

A.

Forwarders pull data from the search peers.

B.

Search heads store a portion of the searchable data.

C.

The search head dispatches searches to the search peers.

D.

Search results are replicated within the indexer cluster.

Question 4

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list —debug. What will the output be?

Options:

A.

list of all the configurations on-disk that Splunk contains.

B.

A verbose list of all configurations as they were when splunkd started.

C.

A list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

D.

A list of the current running props, conf configurations along with a file path from which the configuration was made

Question 5

Which of the following are required when defining an index in indexes. conf? (select all that apply)

Options:

A.

coldPath

B.

homePath

C.

frozenPath

D.

thawedPath

Question 6

Which setting allows the configuration of Splunk to allow events to span over more than one line?

Options:

A.

SHOULD_LINEMERGE = true

B.

BREAK_ONLY_BEFORE_DATE = true

C.

BREAK_ONLY_BEFORE =

D.

SHOULD_LINEMERGE = false

Question 7

TheLINE_BREAKERattribute is configured in which configuration file?

Options:

A.

props.conf

B.

indexes.conf

C.

inpucs.conf

D.

transforms.conf

Question 8

A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly to the indexer. Both sets of data require the masking of raw text strings before being written to disk. What does the administrator need to do to

ensure that the masking takes place successfully?

Options:

A.

Make sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

B.

For source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

C.

Make sure that props . conf and transforms . conf are both present on the Universal Forwarder.

D.

Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Question 9

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

Options:

A.

Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

B.

Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

C.

Allows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

D.

Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Question 10

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

Options:

A.

App Class

B.

Client Class

C.

Server Class

D.

Forwarder Class

Question 11

Which setting in indexes. conf allows data retention to be controlled by time?

Options:

A.

maxDaysToKeep

B.

moveToFrozenAfter

C.

maxDataRetentionTime

D.

frozenTimePeriodlnSecs

Question 12

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

Options:

A.

Buy a bigger Splunk license.

B.

Add 2.5 TB each day for the next 5 days.

C.

Add all 10 TB in a single 24 hour period.

D.

Add 200 GB of historical data each day for 50 days.

Question 13

Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)

Options:

A.

inputs.conf

B.

monitor.conf

C.

outputs.conf

D.

forwarder.conf

Question 14

A new forwarder has been installed with a manually createddeploymentclient.conf.

What is the next step to enable the communication between the forwarder and the deployment server?

Options:

A.

Restart Splunk on the deployment server.

B.

Enable the deployment client in Splunk Web under Forwarder Management.

C.

Restart Splunk on the deployment client.

D.

Wait for up to the time set in thephoneHomeIntervalInSecssetting.

Question 15

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

Options:

A.

Upload option

B.

Forward option

C.

Monitor option

D.

Download option

Question 16

Which Splunk component performs indexing and responds to search requests from the search head?

Options:

A.

Forwarder

B.

Search peer

C.

License master

D.

Search head cluster

Question 17

What is the correct order of steps in Duo Multifactor Authentication?

Options:

A.

1 Request Login2. Connect to SAML server3 Duo MFA4 Create User session5 Authentication Granted 6. Log into Splunk

B.

1. Request Login 2 Duo MFA3. Authentication Granted 4 Connect to SAML server5. Log into Splunk6. Create User session

C.

1 Request Login2 Check authentication / group mapping3 Authentication Granted4. Duo MFA5. Create User session6. Log into Splunk

D.

1 Request Login 2 Duo MFA3. Check authentication / group mapping4 Create User session5. Authentication Granted6 Log into Splunk

Question 18

Windows can prevent a Splunk forwarder from reading open files. If files need to be read while they are being written to, what type of input stanza needs to be created?

Options:

A.

Tail Reader

B.

Upload

C.

MonitorNoHandIe

D.

Monitor

Question 19

What are the values forhostandindexfor[stanza1]used by Splunk during index time, given the following configuration files?

Question # 19

Options:

A.

host=server1index=unixinfo

B.

host=server1index=searchinfo

C.

host=searchsvr1index=searchinfo

D.

host=unixsvr1index=unixinfo

Question 20

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Options:

A.

props.conf

B.

sourcetypes.conf

C.

transforms.conf

D.

outputs.conf

Question 21

What is the correct curl to send multiple events through HTTP Event Collector?

Question # 21

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 22

A security team needs to ingest a static file for a specific incident. The log file has not been collected previously and future updates to the file must not be indexed.

Which command would meet these needs?

Options:

A.

splunk add one shot / opt/ incident [data .log —index incident

B.

splunk edit monitor /opt/incident/data.* —index incident

C.

splunk add monitor /opt/incident/data.log —index incident

D.

splunk edit oneshot [opt/ incident/data.* —index incident

Question 23

Consider the following stanza ininputs.conf:

Question # 23

What will the value of the source filed be for events generated by this scripts input?

Options:

A.

/opt/splunk/ecc/apps/search/bin/liscer.sh

B.

unknown

C.

liscer

D.

liscer.sh

Question 24

Which of the following are supported options when configuring optional network inputs?

Options:

A.

Metadata override, sender filtering options, network input queues (quantum queues)

B.

Metadata override, sender filtering options, network input queues (memory/persistent queues)

C.

Filename override, sender filtering options, network output queues (memory/persistent queues)

D.

Metadata override, receiver filtering options, network input queues (memory/persistent queues)

Question 25

In which phase of the index time process does the license metering occur?

Options:

A.

input phase

B.

Parsing phase

C.

Indexing phase

D.

Licensing phase

Question 26

Which of the following is an acceptable channel value when using the HTTP Event Collector indexer acknowledgment capability?

Options:

A.

GUID

B.

DNS

C.

Hash Checksum

D.

IP Address

Question 27

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

Options:

A.

$SFLUNK_HOME/bin/scripts

B.

$SPLUNK_HOME/etc/apps/bin

C.

$SPLUNK_HOME/etc/system/bin

D.

$S?LUNK_HOME/etc/apps//bin_

Question 28

Which of the following enables compression for universal forwarders in outputs. conf ?

A)

Question # 28

B)

Question # 28

C)

Question # 28

D)

Question # 28

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 29

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

Options:

A.

Duo Administrator

B.

LDAP Administrator

C.

SAML Administrator

D.

Trio Administrator

Question 30

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

Options:

A.

90 days

B.

60 days

C.

7 days

D.

14 days

Question 31

In which Splunk configuration is the SEDCMD used?

Options:

A.

props, conf

B.

inputs.conf

C.

indexes.conf

D.

transforms.conf

Question 32

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Question # 32

Event example:

Question # 32

Options:

A.

MAX_TIMESTAMP_L0CKAHEAD = 5

B.

MAX_TIMESTAMP_LOOKAHEAD - 10

C.

MAX_TIMESTAMF_LOOKHEAD = 20

D.

MAX TIMESTAMP LOOKAHEAD - 30

Question 33

A user is assigned two roles with the following search filters. What is the user's applied search filter?

Question # 33

Options:

A.

Option A33

B.

B. Option B33

C.

C. Option C33

D.

D. Option D33

Question 34

When using license pools, volume allocations apply to which Splunk components?

Options:

A.

Indexers

B.

Indexes

C.

Heavy Forwarders

D.

Search Heads

Question 35

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

Options:

A.

followTail = -45d

B.

ignore = 45d

C.

includeNewerThan = -35d

D.

ignoreOlderThan = 45d

Question 36

What is a role in Splunk? (select all that apply)

Options:

A.

A classification that determines what capabilities a user has.

B.

A classification that determines if a Splunk server can remotely control another Splunk server.

C.

A classification that determines what functions a Splunk server controls.

D.

A classification that determines what indexes a user can search.

Question 37

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Options:

A.

splunk btool server list --debug

B.

splunk list forward-indexer

C.

splunk list forward-server

D.

splunk btool indexes list --debug

Question 38

Which of the following applies only to Splunk index data integrity check?

Options:

A.

Lookup table

B.

Summary Index

C.

Raw data in the index

D.

Data model acceleration

Question 39

How can native authentication be disabled in Splunk?

Options:

A.

Remove the $SPLUNK_HOME/etc/passwd file

B.

Create an empty $SPLUNK_HOME/etc/passwd file

C.

Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf

D.

Set nativeAuthentication=false in authentication.conf

Question 40

Which of the following are methods for adding inputs in Splunk? (select all that apply)

Options:

A.

CLI

B.

Splunk Web

C.

Editing inputs. conf

D.

Editing monitor. conf

Question 41

Where should apps be located on the deployment server that the clients pull from?

Options:

A.

$SFLUNK_KOME/etc/apps

B.

$SPLUNK_HCME/etc/sear:ch

C.

$SPLUNK_HCME/etc/master-apps

D.

$SPLUNK HCME/etc/deployment-apps

Question 42

How often does Splunk recheck the LDAP server?

Options:

A.

Every 5 minutes

B.

Each time a user logs in

C.

Each time Splunk is restarted

D.

Varies based on LDAP_refresh setting.

Question 43

The following stanza is active in indexes.conf:

[cat_facts]

maxHotSpanSecs = 3600

frozenTimePeriodInSecs = 2630000

maxTota1DataSizeMB = 650000

All other related indexes.conf settings are default values.

If the event timestamp was 3739283 seconds ago, will it be searchable?

Options:

A.

Yes, only if the bucket is still hot.

B.

No, because the index will have exceeded its maximum size.

C.

Yes, only if the index size is also below 650000 MB.

D.

No, because the event time is greater than the retention time.

Question 44

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

Options:

A.

CLI

B.

Edit inputs . conf

C.

Edit forwarder.conf

D.

Forwarder Management

Question 45

Which of the following methods will connect a deployment client to a deployment server? (select all that apply)

Options:

A.

Run $SPLUNK_ROME/bin/ splunk set deploy-poll : from the command line of the deployment client.

B.

Create and edit a deploymentserver . conf file in SSPLVNE{ on the deployment server.

C.

Create and edit a deploymentclient . conf file in SSPLTJNE( EOME/etc/ system/local on the deployment client.

D.

Run $SPLUNK ROME/bin/spiunk set deploy-poi i : from the command line of the deployment server.

Question 46

When using a directory monitor input, specific source types can be selectively overridden using which configuration file?

Options:

A.

sourcetypes . conf

B.

trans forms . conf

C.

outputs . conf

D.

props . conf

Question 47

Which forwarder is recommended by Splunk to use in a production environment?

Options:

A.

Heavy forwarder

B.

SSL forwarder

C.

Lightweight forwarder

D.

Universal forwarder

Question 48

A user recently installed an application to index NCINX access logs. After configuring the application, they realize that no data is being ingested. Which configuration file do they need to edit to ingest the access logs to ensure it remains unaffected after upgrade?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 49

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

Options:

A.

Indexer

B.

Deployer

C.

Forwarder

D.

Deployment server

Question 50

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

Options:

A.

Map Users

B.

Map Groups

C.

Map LDAP Inheritance

D.

Map LDAP to Active Directory

Question 51

The priority of layered Splunk configuration files depends on the file's:

Options:

A.

Owner

B.

Weight

C.

Context

D.

Creation time

Question 52

Which of the following is valid distribute search group?

A)

B)

Question # 52

C)

Question # 52

D)

Question # 52

Options:

A.

option A

B.

Option B

C.

Option C

D.

Option D

Question 53

What is the correct order of index time precedence?

(For each of the following, highest precedence is shown at the top and lowest precedence is shown at the bottom)

Options:

A.

Option A53

B.

B. Option B53

C.

C. Option C53

D.

D. Option D53

Question 54

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

Options:

A.

Use Local Windows host monitoring.

B.

Use Windows Remote Inputs with WMI.

C.

Use Local Windows network monitoring.

D.

Use an index with an Index Data Type of Metrics.

Question 55

Which of the following is a valid distributed search group?

Options:

A.

[distributedSearch:Paris] default = false servers = server1, server2

B.

[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C.

[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D.

[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Question 56

What action could be taken to prevent a license warning with an ingest-based license?

Options:

A.

Add a new license before midnight on the indexer(s).

B.

Delete the data before midnight on the indexer(s).

C.

Add a new license before midnight on the license manager.

D.

Delete the data before midnight on the license manager.

Question 57

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

Options:

A.

LDAP

B.

SAML

C.

RADIUS

D.

Duo Multifactor Authentication

Question 58

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

Options:

A.

On Universal Forwarder, $SPLUNK_HOME/etc/apps

B.

On Deployment Server, $SPLUNK_HOME/etc/apps

C.

On Deployment Server, $SPLUNK_HOME/etc/deployment-apps

D.

On Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Page: 1 / 20
Total 196 questions