Summer Sale Discount Flat 70% Offer - Ends in 0d 00h 00m 00s - Coupon code: 70diswrap

Splunk SPLK-1003 Dumps

Page: 1 / 21
Total 206 questions

Splunk Enterprise Certified Admin Questions and Answers

Question 1

There is a file with a vast amount of old data. Which of the following inputs.conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?

Options:

A.

IgnoreOlderThan

B.

allowList

C.

monitor

D.

followTail

Question 2

What event-processing pipelines are used to process data for indexing? (select all that apply)

Options:

A.

fifo pipeline

B.

Indexing pipeline

C.

Parsing pipeline

D.

Typing pipeline

Question 3

When does a warm bucket roll over to a cold bucket?

Options:

A.

When Splunk is restarted.

B.

When the maximum warm bucket age has been reached.

C.

When the maximum warm bucket size has been reached.

D.

When the maximum number of warm buckets is reached.

Question 4

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

Options:

A.

App Class

B.

Client Class

C.

Server Class

D.

Forwarder Class

Question 5

User role inheritance allows what to be inherited from the parent role? (select all that apply)

Options:

A.

Parents

B.

Capabilities

C.

Index access

D.

Search history

Question 6

The universal forwarder has which capabilities when sending data? (select all that apply)

Options:

A.

Sending alerts

B.

Compressing data

C.

Obfuscating/hiding data

D.

Indexer acknowledgement

Question 7

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

Options:

A.

$SFLUNK_HOME/bin/scripts

B.

$SPLUNK_HOME/etc/apps/bin

C.

$SPLUNK_HOME/etc/system/bin

D.

$S?LUNK_HOME/etc/apps/ < your_app > /bin_

Question 8

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

Options:

A.

Index once.

B.

Monitor interval.

C.

On-demand monitor.

D.

Continuously monitor.

Question 9

Which of the following is true regarding LDAP integration with Splunk Enterprise?

Options:

A.

Having the change authentication capability will not allow setup of the LDAP integration.

B.

Mappings can be changed at any time if the user has the power role.

C.

A user cannot log in via LDAP unless they have an associated Splunk role.

D.

LDAP integration will not function unless all groups are mapped to an LDAP group.

Question 10

In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?

Options:

A.

services/ collector

B.

services/ inputs ? raw

C.

services/ data/ collector

D.

data/ collector

Question 11

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Options:

A.

props.conf

B.

inputs.conf

C.

outputs.conf

D.

collections.conf

Question 12

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk ' s response?

Options:

A.

Update the user in Splunk web informing them that the results of their search may be incomplete.

B.

Repeat the search request on indexer B without informing the user.

C.

Update the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.

D.

Inform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

Question 13

Which of the following enables compression for universal forwarders in outputs. conf ?

A)

as

B)

as

C)

as

D)

as

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 14

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

Options:

A.

Upload option

B.

Forward option

C.

Monitor option

D.

Download option

Question 15

An add-on has configured field aliases for source IP address and destination IP address fields. A specific user prefers not to have those fields present in their user context. Based on the defaultprops.confbelow, whichSPLUNK_HOME/etc/users/buttercup/myTA/local/props.confstanza can be added to the user’s local context to disable the field aliases?

as

as

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 16

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

Options:

A.

The blacklist takes precedence over the whitelist.

B.

The whitelist takes precedence over the blacklist.

C.

Wildcards are not supported in any client filters.

D.

Machine type filters are applied before the whitelist and blacklist.

Question 17

A Splunk administrator has been tasked with developing a retention strategy to have frequently accessed data sets on SSD storage and to have older, less frequently accessed data on slower NAS storage. They have set a mount point for the NAS. Which parameter do they need to modify to set the path for the older, less frequently accessed data in indexes.conf?

Options:

A.

homepath

B.

thawedPath

C.

summaryHomePath

D.

colddeath

Question 18

What is the correct curl to send multiple events through HTTP Event Collector?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 19

Where are deployment server apps mapped to clients?

Options:

A.

Apps tab in forwarder management interface or clientapps.conf.

B.

Clients tab in forwarder management interface or deploymentclient.conf.

C.

Server Classes tab in forwarder management interface or serverclass.conf.

D.

Client Applications tab in forwarder management interface or clientapps.conf.

Question 20

What options are available when creating custom roles? (select all that apply)

Options:

A.

Restrict search terms

B.

Whitelist search terms

C.

Limit the number of concurrent search jobs

D.

Allow or restrict indexes that can be searched.

Question 21

In addition to single, non-clustered Splunk instances, what else can the deployment server push apps to?

Options:

A.

Universal forwarders

B.

Splunk Cloud

C.

Linux package managers

D.

Windows using WMI

Question 22

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

Options:

A.

Use Local Windows host monitoring.

B.

Use Windows Remote Inputs with WMI.

C.

Use Local Windows network monitoring.

D.

Use an index with an Index Data Type of Metrics.

Question 23

What happens when the same username exists in Splunk as well as through LDAP?

Options:

A.

Splunk user is automatically deleted from authentication.conf.

B.

LDAP settings take precedence.

C.

Splunk settings take precedence.

D.

LDAP user is automatically deleted from authentication.conf

Question 24

What is the importance of modifying Transparent Huge Pages (THP) and ulimit settings when installing Splunk Enterprise?

Options:

A.

To allow maximum performance only in virtualized environments.

B.

To align to best practices that reduce latency and maintain indexing and search performance.

C.

To allow bare-minimum compatibility with Linux and Splunk Enterprise.

D.

To minimize latency only within the indexing layer of Splunk environments.

Question 25

What is the command to reset the fishbucket for one source?

Options:

A.

rm -r ~/splunkforwarder/var/lib/splunk/fishbucket

B.

splunk clean eventdata -index _thefishbucket

C.

splunk cmd btprobe -d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file < source > --reset

D.

splunk btool fishbucket reset < source >

Question 26

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

Options:

A.

Nothing changes.

B.

The peer-apps local directory becomes the highest priority.

C.

The app local directories move to second in the priority list.

D.

The system default directory ' becomes the highest priority.

Question 27

The CLI command splunk add forward-server indexer: < receiving-port > will create stanza(s) in

which configuration file?

Options:

A.

inputs.conf

B.

indexes.conf

C.

outputs.conf

D.

servers.conf

Question 28

How is a remote monitor input distributed to forwarders?

Options:

A.

As an app.

B.

As a forward.conf file.

C.

As a monitor.conf file.

D.

As a forwarder monitor profile.

Question 29

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

Options:

A.

_license

B.

_lnternal

C.

_external

D.

_thefishbucket

Question 30

Amanda is tasked with hiding the first 5 digits of the account number in the following log and replacing them with xxxxx.

Example events:

[22/Oct/2014:00:46:27] VendorID=9112 Code=B AcctID=4902636940

[22/Oct/2014:00:48:40] VendorID=1004 Code=J AcctID=4236256056

[22/Oct/2014:00:50:02] VendorID=5034 Code=H AcctID=0462999288

Which props.conf configuration would achieve this goal?

Options:

A.

[source::.../vendor_sales.log]

TRANSFORMS-acct = s/AcctID=\d{5}(\d{5})/AcctID=xxxxx\1/g

B.

[source::.../vendor_sales.log]

REPLACE-acct = s/AcctID=\d{5}(\d{5})/AcctID=xxxxx\1/g

C.

[source::.../vendor_sales.log]

SEDCMD-acct = s/AcctID=\d{5}(\d{5})/AcctID=xxxxx\1/g

D.

[source::.../vendor_sales.log]

SED-acct = s/AcctID=\d{5}(\d{5})/AcctID=xxxxx\1/g

Question 31

What action could be taken to prevent a license warning with an ingest-based license?

Options:

A.

Add a new license before midnight on the indexer(s).

B.

Delete the data before midnight on the indexer(s).

C.

Add a new license before midnight on the license manager.

D.

Delete the data before midnight on the license manager.

Question 32

What is an example of a proper configuration for CHARSET within props.conf?

Options:

A.

[host: : server. splunk. com]CHARSET = BIG5

B.

[index: :main]CHARSET = BIG5

C.

[sourcetype: : son]CHARSET = BIG5

D.

[source: : /var/log/ splunk]CHARSET = BIG5

Question 33

What configuration file are remote Windows Management Instrumentation inputs defined in?

Options:

A.

wmi_inputs.conf

B.

inputs.conf

C.

None, the inputs are defined outside of Splunk.

D.

wmi.conf

Question 34

A Universal Forwarder is monitoring a very active syslog stream and as a result is unable to switch between destinations. How would an admin safely remediate this issue?

Options:

A.

Configure and enable the LINE_BREAKER on the forwarder.

B.

Configure useAck on the forwarder.

C.

Configure forceTimebasedAutoLB on the forwarder.

D.

Configure and enable the FVFNT BREAKER on the forwarder.

Question 35

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

Options:

A.

SFLUNK_HOME/etc/deployment

B.

SPLUNK_HOME/etc/system/local

C.

SPLUNK_HOME/etc/system/default

D.

SPLUNK_KOME/etc/apps/deployment

Question 36

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

Options:

A.

... is not supported in monitor stanzas

B.

There is no difference, they are interchangable and match anything beyond directory boundaries.

C.

* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D.

... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Question 37

Which parent directory contains the configuration files in Splunk?

Options:

A.

SSFLUNK_HOME/etc

B.

SSPLUNK_HOME/var

C.

SSPLUNK_HOME/conf

D.

SSPLUNK_HOME/default

Question 38

Which of the following apply to how distributed search works? (select all that apply)

Options:

A.

The search head dispatches searches to the peers

B.

The search peers pull the data from the forwarders.

C.

Peers run searches in parallel and return their portion of results.

D.

The search head consolidates the individual results and prepares reports

Question 39

Running this search in a distributed environment:

On what Splunk component does the eval command get executed?

Options:

A.

Heavy Forwarders

B.

Universal Forwarders

C.

Search peers

D.

Search heads

Question 40

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

Options:

A.

Buy a bigger Splunk license.

B.

Add 2.5 TB each day for the next 5 days.

C.

Add all 10 TB in a single 24 hour period.

D.

Add 200 GB of historical data each day for 50 days.

Question 41

What is the correct attribute to set in inputs.conf in order to have data sent to a particular indexer group?

Options:

A.

_SPLUNKDB_ROUTING

B.

_TCP_ROUTING

C.

_UDF_ROUTING

D.

_INGEST_ROUTING

Question 42

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

Options:

A.

Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

B.

Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

C.

Allows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

D.

Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Question 43

In which phase do indexed extractions in props.conf occur?

Options:

A.

Inputs phase

B.

Parsing phase

C.

Indexing phase

D.

Searching phase

Question 44

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Options:

A.

index=main

B.

index=test

C.

index=summary

D.

index=_internal

Question 45

What will the following inputs. conf stanza do?

[script://myscript . sh]

Interval=0

Options:

A.

The script will run at the default interval of 60 seconds.

B.

The script will not be run.

C.

The script will be run only once for each time Splunk is restarted.

D.

The script will be run. As soon as the script exits, Splunk restarts it.

Question 46

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list —debug. What will the output be?

Options:

A.

list of all the configurations on-disk that Splunk contains.

B.

A verbose list of all configurations as they were when splunkd started.

C.

A list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

D.

A list of the current running props, conf configurations along with a file path from which the configuration was made

Question 47

When should the Data Preview feature be used?

Options:

A.

When extracting fields for ingested data.

B.

When previewing the data before searching.

C.

When reviewing data on the source host.

D.

When validating the parsing of data.

Question 48

In this example, ifuseACKis set to true and themaxQueueSizeis set to 7MB, what is the size of the wait queue on this universal forwarder?

Options:

A.

21MB

B.

28MB

C.

14MB

D.

7MB

Question 49

Which is a valid stanza for a network input?

Options:

A.

[udp://172.16.10.1:9997]connection = dnssourcetype = dns

B.

[any://172.16.10.1:10001]connection_host = ipsourcetype = web

C.

[tcp://172.16.10.1:9997]connection_host = websourcetype = web

D.

[tcp://172.16.10.1:10001]connection_host = dnssourcetype = dn s

Question 50

Seven different network switches are sending traffic to a server hosting a Universal Forwarder . Three of the devices are sending TCP data and four of the devices are sending UDP data.

What is the minimum number of input stanzas that must be created on the Universal Forwarder to successfully capture data from all seven sources?

Options:

A.

One

B.

Seven

C.

Four

D.

Two

Question 51

Which of the following is a valid distributed search group?

Options:

A.

[distributedSearch:Paris] default = false servers = server1, server2

B.

[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C.

[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D.

[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Question 52

When are knowledge bundles distributed to search peers?

Options:

A.

After a user logs in.

B.

When Splunk is restarted.

C.

When adding a new search peer.

D.

When a distributed search is initiated.

Question 53

Which of the following statements apply to directory inputs? {select all that apply)

Options:

A.

All discovered text files are consumed.

B.

Compressed files are ignored by default

C.

Splunk recursively traverses through the directory structure.

D.

When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Question 54

Which of the following statements describe deployment management? (select all that apply)

Options:

A.

Requires an Enterprise license

B.

Is responsible for sending apps to forwarders.

C.

Once used, is the only way to manage forwarders

D.

Can automatically restart the host OS running the forwarder.

Question 55

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

Options:

A.

Indexer

B.

Forwarder

C.

Search head

D.

Deployment server

Question 56

What are the values forhostandindexfor[stanza1]used by Splunk during index time, given the following configuration files?

as

Options:

A.

host=server1index=unixinfo

B.

host=server1index=searchinfo

C.

host=searchsvr1index=searchinfo

D.

host=unixsvr1index=unixinfo

Question 57

What is required when adding a native user to Splunk? (select all that apply)

Options:

A.

Password

B.

Username

C.

Full Name

D.

Default app

Question 58

Given a forwarder with the following outputs.conf configuration:

[tcpout : mypartner]

Server = 145.188.183.184:9097

[tcpout : hfbank]

server = inputsl . mysplunkhfs . corp : 9997 , inputs2 . mysplunkhfs . corp : 9997

Which of the following is a true statement?

Options:

A.

Data will continue to flow to hfbank if 145.1 ga. 183.184 : 9097 is unreachable.

B.

Data is not encrypted to mypartner because 145.188 .183.184 : 9097 is specified by IP.

C.

Data is encrypted to mypartner because 145.183.184 : 9097 is specified by IP.

D.

Data will eventually stop flowing everywhere if 145.188.183.184 : 9097 is unreachable.

Question 59

Which Splunk component consolidates the individual results and prepares reports in a distributed environment?

Options:

A.

Indexers

B.

Forwarder

C.

Search head

D.

Search peers

Question 60

Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as

follows: 123-44-5678.

Which configuration file and stanza pair will mask possible SSNs in the log events?

Options:

A.

props.conf[mask-SSN]REX = (?ms)^(.)\ < [SSN > \d{3}-?\d{2}-?(\d{4}.*)$ " FORMAT = $1 < SSN > ###-##-$2KEY = _raw

B.

props.conf[mask-SSN]REGEX = (?ms)^(.)\ < [SSN > \d{3}-?\d{2}-?(\d{4}.*)$ " FORMAT = $1 < SSN > ###-##-$2DEST_KEY = _raw

C.

transforms.conf[mask-SSN]REX = (?ms)^(.)\ < [SSN > \d{3}-?\d{2}-?(\d{4}.*)$ " FORMAT = $1 < SSN > ###-##-$2DEST_KEY = _raw

D.

transforms.conf[mask-SSN]REGEX = (?ms)^(.)\ < [SSN > \d{3}-?\d{2}-?(\d{4}.*)$ " FORMAT = $1 < SSN > ###-##-$2DEST_KEY = _raw

Question 61

Which of the following describes a Splunk deployment server?

Options:

A.

A Splunk Forwarder that deploys data to multiple indexers.

B.

A Splunk app installed on a Splunk Enterprise server.

C.

A Splunk Enterprise server that distributes apps.

D.

A server that automates the deployment of Splunk Enterprise to remote servers.

Page: 1 / 21
Total 206 questions