Summer Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Splunk SPLK-1003 Splunk Enterprise Certified Admin Exam Exam Practice Test

Page: 1 / 17
Total 174 questions

Splunk Enterprise Certified Admin Exam Questions and Answers

Question 1

In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?

Options:

A.

services/collector

B.

data/collector

C.

services/inputs?raw

D.

services/data/collector

Question 2

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

Options:

A.

Default app

B.

LDAP group

C.

Password

D.

Username

Question 3

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

Options:

A.

Deployer

B.

Cluster master

C.

Deployment server

D.

Search head cluster master

Question 4

A Splunk administrator has been tasked with developing a retention strategy to have frequently accessed data sets on SSD storage and to have older, less frequently accessed data on slower NAS storage. They have set a mount point for the NAS. Which parameter do they need to modify to set the path for the older, less frequently accessed data in indexes.conf?

Options:

A.

homepath

B.

thawedPath

C.

summaryHomePath

D.

colddeath

Question 5

Which of the following applies only to Splunk index data integrity check?

Options:

A.

Lookup table

B.

Summary Index

C.

Raw data in the index

D.

Data model acceleration

Question 6

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

Options:

A.

App Class

B.

Client Class

C.

Server Class

D.

Forwarder Class

Question 7

Given a forwarder with the following outputs.conf configuration:

[tcpout : mypartner]

Server = 145.188.183.184:9097

[tcpout : hfbank]

server = inputsl . mysplunkhfs . corp : 9997 , inputs2 . mysplunkhfs . corp : 9997

Which of the following is a true statement?

  • Data will continue to flow to hfbank if 145.1 ga. 183.184 : 9097 is unreachable.

  • Data is not encrypted to mypartner because 145.188 .183.184 : 9097 is specified by IP.

  • Data is encrypted to mypartner because 145.183.184 : 9097 is specified by IP.

Options:

A.

Data will eventually stop flowing everywhere if 145.188.183.184 : 9097 is unreachable.

Question 8

In which phase of the index time process does the license metering occur?

Options:

A.

input phase

B.

Parsing phase

C.

Indexing phase

D.

Licensing phase

Question 9

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

Options:

A.

SFLUNK_HOME/etc/deployment

B.

SPLUNK_HOME/etc/system/local

C.

SPLUNK_HOME/etc/system/default

D.

SPLUNK_KOME/etc/apps/deployment

Question 10

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

Options:

A.

... is not supported in monitor stanzas

B.

There is no difference, they are interchangable and match anything beyond directory boundaries.

C.

* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D.

... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Question 11

What is the name of the object that stores events inside of an index?

Options:

A.

Container

B.

Bucket

C.

Data layer

D.

Indexer

Question 12

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list —debug. What will the output be?

Options:

A.

list of all the configurations on-disk that Splunk contains.

B.

A verbose list of all configurations as they were when splunkd started.

C.

A list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

D.

A list of the current running props, conf configurations along with a file path from which the configuration was made

Question 13

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

Options:

A.

90 days

B.

60 days

C.

7 days

D.

14 days

Question 14

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

Options:

A.

_TCP_ROUTING

B.

_INDEXER_LIST

C.

_INDEXER_GROUP

D.

_INDEXER ROUTING

Question 15

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

Options:

A.

On Universal Forwarder, $SPLUNK_HOME/etc/apps

B.

On Deployment Server, $SPLUNK_HOME/etc/apps

C.

On Deployment Server, $SPLUNK_HOME/etc/deployment-apps

D.

On Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Question 16

How is a remote monitor input distributed to forwarders?

Options:

A.

As an app.

B.

As a forward.conf file.

C.

As a monitor.conf file.

D.

As a forwarder monitor profile.

Question 17

Which of the following are supported options when configuring optional network inputs?

Options:

A.

Metadata override, sender filtering options, network input queues (quantum queues)

B.

Metadata override, sender filtering options, network input queues (memory/persistent queues)

C.

Filename override, sender filtering options, network output queues (memory/persistent queues)

D.

Metadata override, receiver filtering options, network input queues (memory/persistent queues)

Question 18

Which of the following enables compression for universal forwarders in outputs. conf ?

A)

Question # 18

B)

Question # 18

C)

Question # 18

D)

Question # 18

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 19

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

Options:

A.

License data

B.

Metricsdata

C.

Internal Splunk data

D.

Internal Windows logs

Question 20

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Options:

A.

props.conf

B.

inputs.conf

C.

rawdata.conf

D.

transforms.conf

Question 21

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

Options:

A.

It does not encrypt the certificate password.

B.

SSL automatically compresses the feed by default.

C.

It requires that the forwarder be set to compressed=true.

D.

It requires that the receiver be set to compression=true.

Question 22

When would the following command be used?

Question # 22

Options:

A.

To verify' the integrity of a local index.

B.

To verify the integrity of a SmartStore index.

C.

To verify the integrity of a SmartStore bucket.

D.

To verify the integrity of a local bucket.

Question 23

In which Splunk configuration is the SEDCMD used?

Options:

A.

props, conf

B.

inputs.conf

C.

indexes.conf

D.

transforms.conf

Question 24

Which Splunk component consolidates the individual results and prepares reports in a distributed environment?

Options:

A.

Indexers

B.

Forwarder

C.

Search head

D.

Search peers

Question 25

All search-time field extractions should be specified on which Splunk component?

Options:

A.

Deployment server

B.

Universal forwarder

C.

Indexer

D.

Search head

Question 26

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

Options:

A.

Duo Administrator

B.

LDAP Administrator

C.

SAML Administrator

D.

Trio Administrator

Question 27

Which Splunk component would one use to perform line breaking prior to indexing?

Options:

A.

Heavy Forwarder

B.

Universal Forwarder

C.

Search head

D.

This can only be done at the indexing layer.

Question 28

Which of the following are methods for adding inputs in Splunk? (select all that apply)

Options:

A.

CLI

B.

Splunk Web

C.

Editing inputs. conf

D.

Editing monitor. conf

Question 29

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Options:

A.

admin

B.

power

C.

user

D.

splunk-system-role

Question 30

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

Options:

A.

followTail = -45d

B.

ignore = 45d

C.

includeNewerThan = -35d

D.

ignoreOlderThan = 45d

Question 31

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Options:

A.

index=main

B.

index=test

C.

index=summary

D.

index=_internal

Question 32

What type of Splunk license is pre-selected in a brand new Splunk installation?

Options:

A.

Free license

B.

Forwarder license

C.

Enterprise trial license

D.

Enterprise license

Question 33

A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly to the indexer. Both sets of data require the masking of raw text strings before being written to disk. What does the administrator need to do to

ensure that the masking takes place successfully?

Options:

A.

Make sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

B.

For source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

C.

Make sure that props . conf and transforms . conf are both present on the Universal Forwarder.

D.

Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Question 34

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations

found in props.conf to be validated all through the UI?

Options:

A.

Apps

B.

Search

C.

Data preview

D.

Forwarder inputs

Question 35

Which forwarder type can parse data prior to forwarding?

Options:

A.

Universal forwarder

B.

Heaviest forwarder

C.

Hyper forwarder

D.

Heavy forwarder

Question 36

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

Options:

A.

Nothing changes.

B.

The peer-apps local directory becomes the highest priority.

C.

The app local directories move to second in the priority list.

D.

The system default directory' becomes the highest priority.

Question 37

Syslog files are being monitored on a Heavy Forwarder.

Where would the appropriate TRANSFORMS setting be deployed to reroute logs based on the event message?

Options:

A.

Heavy Forwarder

B.

Indexer

C.

Search head

D.

Deployment server

Question 38

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

Options:

A.

CLI

B.

Edit inputs . conf

C.

Edit forwarder.conf

D.

Forwarder Management

Question 39

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

Options:

A.

channelTTL

B.

connectionTimeout

C.

autoLBFrequency

D.

secsInFailurelnterval

Question 40

Which parent directory contains the configuration files in Splunk?

Options:

A.

SSFLUNK_HOME/etc

B.

SSPLUNK_HOME/var

C.

SSPLUNK_HOME/conf

D.

SSPLUNK_HOME/default

Question 41

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

Options:

A.

Disk

B.

CPUs

C.

Memory

D.

Network interface cards

Question 42

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

Options:

A.

Create one outputs . conf file for each of the server addresses in the indexing tier.

B.

Configure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

C.

Splunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

D.

Set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Question 43

A security team needs to ingest a static file for a specific incident. The log file has not been collected previously and future updates to the file must not be indexed.

Which command would meet these needs?

Options:

A.

splunk add one shot / opt/ incident [data .log —index incident

B.

splunk edit monitor /opt/incident/data.* —index incident

C.

splunk add monitor /opt/incident/data.log —index incident

D.

splunk edit oneshot [opt/ incident/data.* —index incident

Question 44

What are the values forhostandindexfor[stanza1]used by Splunk during index time, given the following configuration files?

Question # 44

Options:

A.

host=server1

index=unixinfo

B.

host=server1

index=searchinfo

C.

host=searchsvr1

index=searchinfo

D.

host=unixsvr1

index=unixinfo

Question 45

The universal forwarder has which capabilities when sending data? (select all that apply)

Options:

A.

Sending alerts

B.

Compressing data

C.

Obfuscating/hiding data

D.

Indexer acknowledgement

Question 46

Which of the methods listed below supports muti-factor authentication?

Options:

A.

Lightweight Directory Access Protocol (LDAP)

B.

Security Assertion Markup Language (SAML)

C.

Single Sign-on (SSO)

D.

OpenlD

Question 47

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

Options:

A.

Indexer

B.

Forwarder

C.

Search head

D.

Deployment server

Question 48

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

Options:

A.

Enable indexer acknowledgment.

B.

Enable forwarder acknowledgment.

C.

splunk check-integrity -index

D.

index=_internal component=ACK | stats count by host

Question 49

Which of the following are required when defining an index in indexes. conf? (select all that apply)

Options:

A.

coldPath

B.

homePath

C.

frozenPath

D.

thawedPath

Question 50

What will the following inputs. conf stanza do?

[script://myscript . sh]

Interval=0

Options:

A.

The script will run at the default interval of 60 seconds.

B.

The script will not be run.

C.

The script will be run only once for each time Splunk is restarted.

D.

The script will be run. As soon as the script exits, Splunk restarts it.

Question 51

Which Splunk component(s) would break a stream of syslog inputs into individual events? (select all that apply)

Options:

A.

Universal Forwarder

B.

Search head

C.

Heavy Forwarder

D.

Indexer

Question 52

UsingSEDCMDinprops.confallows raw data to be modified. With the given event below, which option will mask the first three digits of theAcctIDfield resulting output:[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

Event:

[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

Options:

A.

SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g

B.

SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g

C.

SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g

D.

SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

Question 53

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

Options:

A.

Index once.

B.

Monitor interval.

C.

On-demand monitor.

D.

Continuously monitor.

Question 54

Which is a valid stanza for a network input?

Options:

A.

[udp://172.16.10.1:9997]

connection = dns

sourcetype = dns

B.

[any://172.16.10.1:10001]

connection_host = ip

sourcetype = web

C.

[tcp://172.16.10.1:9997]

connection_host = web

sourcetype = web

D.

[tcp://172.16.10.1:10001]

connection_host = dns

sourcetype = dns

Page: 1 / 17
Total 174 questions