11.11 Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Splunk SPLK-1003 Splunk Enterprise Certified Admin Exam Practice Test

Page: 1 / 19
Total 185 questions

Splunk Enterprise Certified Admin Questions and Answers

Question 1

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

Options:

A.

Upload option

B.

Forward option

C.

Monitor option

D.

Download option

Question 2

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

Options:

A.

Disk

B.

CPUs

C.

Memory

D.

Network interface cards

Question 3

When using license pools, volume allocations apply to which Splunk components?

Options:

A.

Indexers

B.

Indexes

C.

Heavy Forwarders

D.

Search Heads

Question 4

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

Options:

A.

CLI

B.

Edit inputs . conf

C.

Edit forwarder.conf

D.

Forwarder Management

Question 5

In which phase do indexed extractions in props.conf occur?

Options:

A.

Inputs phase

B.

Parsing phase

C.

Indexing phase

D.

Searching phase

Question 6

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

Options:

A.

Map Users

B.

Map Groups

C.

Map LDAP Inheritance

D.

Map LDAP to Active Directory

Question 7

What is required when adding a native user to Splunk? (select all that apply)

Options:

A.

Password

B.

Username

C.

Full Name

D.

Default app

Question 8

How is a remote monitor input distributed to forwarders?

Options:

A.

As an app.

B.

As a forward.conf file.

C.

As a monitor.conf file.

D.

As a forwarder monitor profile.

Question 9

What action is required to enable forwarder management in Splunk Web?

Options:

A.

Navigate to Settings > Server Settings > General Settings, and set an App server port.

B.

Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

C.

Create a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

D.

Place an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Question 10

Which scenario is applicable given the stanzas in authentication.conf below?

[authentication]

externalTwoFactorAuthVendor = Duo

externalTwoFactorAuthSettings = duoMFA

[duoMFA]

integrationKey = aGFwcHliaXJ0aGRheU1pZGR5

secretKey = YXVzdHJhaWxpYW5Gb3JHcmVw

applicationKey = c3BsaW5raW5ndGhlcGx1bWJ1c3NpbmN1OTU

apiHostname = 466993018.duosecurity.com

failOpen = True

timeout = 60

Options:

A.

If Splunk cannot connect to the multifactor authentication provider, all logins will be denied.

B.

Multifactor authentication is required to log into the host operating system.

C.

The secretKey does not need to be protected since multifactor authentication is turned on.

D.

If Splunk cannot connect to the multifactor authentication provider, authentications will be successful without completing a multifactor challenge.

Question 11

Event processing occurs at which phase of the data pipeline?

Options:

A.

Search

B.

Indexing

C.

Parsing

D.

Input

Question 12

Which is a valid stanza for a network input?

Options:

A.

[udp://172.16.10.1:9997]

connection = dns

sourcetype = dns

B.

[any://172.16.10.1:10001]

connection_host = ip

sourcetype = web

C.

[tcp://172.16.10.1:9997]

connection_host = web

sourcetype = web

D.

[tcp://172.16.10.1:10001]

connection_host = dns

sourcetype = dns

Question 13

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

Options:

A.

On Universal Forwarder, $SPLUNK_HOME/etc/apps

B.

On Deployment Server, $SPLUNK_HOME/etc/apps

C.

On Deployment Server, $SPLUNK_HOME/etc/deployment-apps

D.

On Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Question 14

When should the Data Preview feature be used?

Options:

A.

When extracting fields for ingested data.

B.

When previewing the data before searching.

C.

When reviewing data on the source host.

D.

When validating the parsing of data.

Question 15

When would the following command be used?

Question # 15

Options:

A.

To verify' the integrity of a local index.

B.

To verify the integrity of a SmartStore index.

C.

To verify the integrity of a SmartStore bucket.

D.

To verify the integrity of a local bucket.

Question 16

To set up a Network input in Splunk, what needs to be specified'?

Options:

A.

File path.

B.

Username and password

C.

Network protocol and port number.

D.

Network protocol and MAC address.

Question 17

What is the command to reset the fishbucket for one source?

Options:

A.

rm -r ~/splunkforwarder/var/lib/splunk/fishbucket

B.

splunk clean eventdata -index _thefishbucket

C.

splunk cmd btprobe -d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file --reset

D.

splunk btool fishbucket reset

Question 18

What is the name of the object that stores events inside of an index?

Options:

A.

Container

B.

Bucket

C.

Data layer

D.

Indexer

Question 19

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

Options:

A.

90 days

B.

60 days

C.

7 days

D.

14 days

Question 20

An admin oversees an environment with a 1000 GBI day license. The configuration file

server.conf has strict pool quota=false set. The license is divided into the following three pools, and today's usage is shown on the right-hand column:

PoolLicense SizeToday's usage

X500 GB/day100 GB

Y350 GB/day400 GB

Z150 GB/day300 GB

Given this, which pool(s) are issued warnings?

Options:

A.

All pools

B.

Z only

C.

None

D.

Y and Z

Question 21

In inputs. conf, which stanza would mean Splunk was only reading one local file?

Options:

A.

[read://opt/log/crashlog/Jan27crash.txt]

B.

[monitor::/ opt/log/crashlog/Jan27crash.txt]

C.

[monitor:/// opt/log/]

D.

[monitor:/// opt/log/ crashlog/Jan27crash.txt]

Question 22

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

Event:

[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

Options:

A.

SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g

B.

SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g

C.

SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g

D.

SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

Question 23

Which of the following types of data count against the license daily quota?

Options:

A.

Replicated data

B.

splunkd logs

C.

Summary index data

D.

Windows internal logs

Question 24

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

Options:

A.

The blacklist takes precedence over the whitelist.

B.

The whitelist takes precedence over the blacklist.

C.

Wildcards are not supported in any client filters.

D.

Machine type filters are applied before the whitelist and blacklist.

Question 25

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

Options:

A.

Any OS platform

B.

Linux platform only

C.

Windows platform only.

D.

None of the above.

Question 26

Load balancing on a Universal Forwarder is not scaling correctly. The forwarder's outputs. and the tcpout stanza are setup correctly. What else could be the cause of this scaling issue? (select all that apply)

Options:

A.

The receiving port is not properly setup to listen on the right port.

B.

The inputs . conf'S _SYSZOG_ROVTING is not setup to use the right group names.

C.

The DNS record used is not setup with a valid list of IP addresses.

D.

The indexAndForward value is not set properly.

Question 27

User role inheritance allows what to be inherited from the parent role? (select all that apply)

Options:

A.

Parents

B.

Capabilities

C.

Index access

D.

Search history

Question 28

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

Options:

A.

Universal Coordinated Time.

B.

The timezone of the search head.

C.

The timezone of the indexer that indexed the event.

D.

The timezone of the forwarder.

Question 29

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

Options:

A.

License data

B.

Metricsdata

C.

Internal Splunk data

D.

Internal Windows logs

Question 30

Which of the following authentication types requires scripting in Splunk?

Options:

A.

ADFS

B.

LDAP

C.

SAML

D.

RADIUS

Question 31

When does a warm bucket roll over to a cold bucket?

Options:

A.

When Splunk is restarted.

B.

When the maximum warm bucket age has been reached.

C.

When the maximum warm bucket size has been reached.

D.

When the maximum number of warm buckets is reached.

Question 32

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list —debug. What will the output be?

Options:

A.

list of all the configurations on-disk that Splunk contains.

B.

A verbose list of all configurations as they were when splunkd started.

C.

A list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

D.

A list of the current running props, conf configurations along with a file path from which the configuration was made

Question 33

Within props. conf, which stanzas are valid for data modification? (select all that apply)

Options:

A.

Host

B.

Server

C.

Source

D.

Sourcetype

Question 34

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Options:

A.

splunk btool server list --debug

B.

splunk list forward-indexer

C.

splunk list forward-server

D.

splunk btool indexes list --debug

Question 35

How does the Monitoring Console monitor forwarders?

Options:

A.

By pulling internal logs from forwarders.

B.

By using the forwarder monitoring add-on

C.

With internal logs forwarded by forwarders.

D.

With internal logs forwarded by deployment server.

Question 36

Which file will be matched for the following monitor stanza in inputs. conf?

[monitor: ///var/log/*/bar/*. txt]

Options:

A.

/var/log/host_460352847/temp/bar/file/csv/foo.txt

B.

/var/log/host_460352847/bar/foo.txt

C.

/var/log/host_460352847/bar/file/foo.txt

D.

/var/ log/ host_460352847/temp/bar/file/foo.txt

Question 37

When running a real-time search, search results are pulled from which Splunk component?

Options:

A.

Heavy forwarders and search peers

B.

Heavy forwarders

C.

Search heads

D.

Search peers

Question 38

Search heads in a company's European offices need to be able to search data in their New York offices. They also need to restrict access to certain indexers. What should be configured to allow this type of action?

Options:

A.

Indexer clustering

B.

LDAP control

C.

Distributed search

D.

Search head clustering

Question 39

Which Splunk component requires a Forwarder license?

Options:

A.

Search head

B.

Heavy forwarder

C.

Heaviest forwarder

D.

Universal forwarder

Question 40

Which data pipeline phase is the last opportunity for defining event boundaries?

Options:

A.

Input phase

B.

Indexing phase

C.

Parsing phase

D.

Search phase

Question 41

A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly to the indexer. Both sets of data require the masking of raw text strings before being written to disk. What does the administrator need to do to

ensure that the masking takes place successfully?

Options:

A.

Make sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

B.

For source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

C.

Make sure that props . conf and transforms . conf are both present on the Universal Forwarder.

D.

Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Question 42

Syslog files are being monitored on a Heavy Forwarder.

Where would the appropriate TRANSFORMS setting be deployed to reroute logs based on the event message?

Options:

A.

Heavy Forwarder

B.

Indexer

C.

Search head

D.

Deployment server

Question 43

A security team needs to ingest a static file for a specific incident. The log file has not been collected previously and future updates to the file must not be indexed.

Which command would meet these needs?

Options:

A.

splunk add one shot / opt/ incident [data .log —index incident

B.

splunk edit monitor /opt/incident/data.* —index incident

C.

splunk add monitor /opt/incident/data.log —index incident

D.

splunk edit oneshot [opt/ incident/data.* —index incident

Question 44

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

Options:

A.

... is not supported in monitor stanzas

B.

There is no difference, they are interchangable and match anything beyond directory boundaries.

C.

* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D.

... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Question 45

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

Options:

A.

channelTTL

B.

connectionTimeout

C.

autoLBFrequency

D.

secsInFailurelnterval

Question 46

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

Options:

A.

host

B.

index

C.

linecount

D.

splunk_server

Question 47

Which Splunk component performs indexing and responds to search requests from the search head?

Options:

A.

Forwarder

B.

Search peer

C.

License master

D.

Search head cluster

Question 48

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

Options:

A.

Duo Administrator

B.

LDAP Administrator

C.

SAML Administrator

D.

Trio Administrator

Question 49

Immediately after installation, what will a Universal Forwarder do first?

Options:

A.

Automatically detect any indexers in its subnet and begin routing data.

B.

Begin generating internal Splunk logs.

C.

Begin reading local files on its server.

D.

Send an email to the operator that the installation process has completed.

Question 50

In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?

Options:

A.

services/collector

B.

data/collector

C.

services/inputs?raw

D.

services/data/collector

Question 51

Which feature of Splunk’s role configuration can be used to aggregate multiple roles intended for groups of

users?

Options:

A.

Linked roles

B.

Grantable roles

C.

Role federation

D.

Role inheritance

Question 52

All search-time field extractions should be specified on which Splunk component?

Options:

A.

Deployment server

B.

Universal forwarder

C.

Indexer

D.

Search head

Question 53

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Question # 53

Event example:

Question # 53

Options:

A.

MAX_TIMESTAMP_L0CKAHEAD = 5

B.

MAX_TIMESTAMP_LOOKAHEAD - 10

C.

MAX_TIMESTAMF_LOOKHEAD = 20

D.

MAX TIMESTAMP LOOKAHEAD - 30

Question 54

What options are available when creating custom roles? (select all that apply)

Options:

A.

Restrict search terms

B.

Whitelist search terms

C.

Limit the number of concurrent search jobs

D.

Allow or restrict indexes that can be searched.

Question 55

When are knowledge bundles distributed to search peers?

Options:

A.

After a user logs in.

B.

When Splunk is restarted.

C.

When adding a new search peer.

D.

When a distributed search is initiated.

Page: 1 / 19
Total 185 questions