New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Splunk SPLK-1003 Splunk Enterprise Certified Admin Exam Practice Test

Page: 1 / 19
Total 185 questions

Splunk Enterprise Certified Admin Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$37.5  $124.99

PDF Study Guide

  • Product Type: PDF Study Guide
$33  $109.99
Question 1

In which Splunk configuration is the SEDCMD used?

Options:

A.

props, conf

B.

inputs.conf

C.

indexes.conf

D.

transforms.conf

Question 2

Where are deployment server apps mapped to clients?

Options:

A.

Apps tab in forwarder management interface or clientapps.conf.

B.

Clients tab in forwarder management interface or deploymentclient.conf.

C.

Server Classes tab in forwarder management interface or serverclass.conf.

D.

Client Applications tab in forwarder management interface or clientapps.conf.

Question 3

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

Options:

A.

Default app

B.

LDAP group

C.

Password

D.

Username

Question 4

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

Options:

A.

host=server1

index=unixinfo

B.

host=server1

index=searchinfo

C.

host=searchsvr1

index=searchinfo

D.

host=unixsvr1

index=unixinfo

Question 5

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

Options:

A.

If Splunk is restarted, data will be queued and then sent when Splunk has restarted.

B.

Local firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

C.

The host value associated with data received will be the IP address that sent the data.

D.

If Splunk is restarted, data may be lost.

Question 6

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

Options:

A.

/var/log/messages

B.

/var/log/maillog

C.

/var/log/maillog and /var/log/messages

D.

none of the above

Question 7

Within props. conf, which stanzas are valid for data modification? (select all that apply)

Options:

A.

Host

B.

Server

C.

Source

D.

Sourcetype

Question 8

Which of the following apply to how distributed search works? (select all that apply)

Options:

A.

The search head dispatches searches to the peers

B.

The search peers pull the data from the forwarders.

C.

Peers run searches in parallel and return their portion of results.

D.

The search head consolidates the individual results and prepares reports

Question 9

How is a remote monitor input distributed to forwarders?

Options:

A.

As an app.

B.

As a forward.conf file.

C.

As a monitor.conf file.

D.

As a forwarder monitor profile.

Question 10

When running a real-time search, search results are pulled from which Splunk component?

Options:

A.

Heavy forwarders and search peers

B.

Heavy forwarders

C.

Search heads

D.

Search peers

Question 11

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

Options:

A.

LDAP

B.

SAML

C.

RADIUS

D.

Duo Multifactor Authentication

Question 12

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

Options:

A.

... is not supported in monitor stanzas

B.

There is no difference, they are interchangable and match anything beyond directory boundaries.

C.

* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D.

... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Question 13

Which of the following is a valid distributed search group?

Options:

A.

[distributedSearch:Paris] default = false servers = server1, server2

B.

[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C.

[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D.

[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Question 14

Which of the following statements apply to directory inputs? {select all that apply)

Options:

A.

All discovered text files are consumed.

B.

Compressed files are ignored by default

C.

Splunk recursively traverses through the directory structure.

D.

When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Question 15

Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)

Options:

A.

inputs.conf

B.

monitor.conf

C.

outputs.conf

D.

forwarder.conf

Question 16

What is the default value of LINE_BREAKER?

Options:

A.

\r\n

B.

([\r\n]+)

C.

\r+\n+

D.

(\r\n+)

Question 17

What action is required to enable forwarder management in Splunk Web?

Options:

A.

Navigate to Settings > Server Settings > General Settings, and set an App server port.

B.

Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

C.

Create a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

D.

Place an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Question 18

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

Options:

A.

Use Local Windows host monitoring.

B.

Use Windows Remote Inputs with WMI.

C.

Use Local Windows network monitoring.

D.

Use an index with an Index Data Type of Metrics.

Question 19

What is the correct curl to send multiple events through HTTP Event Collector?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 20

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

Options:

A.

21MB

B.

28MB

C.

14MB

D.

7MB

Question 21

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

Options:

A.

Enable indexer acknowledgment.

B.

Enable forwarder acknowledgment.

C.

splunk check-integrity -index

D.

index=_internal component=ACK | stats count by host

Question 22

What will the following inputs. conf stanza do?

[script://myscript . sh]

Interval=0

Options:

A.

The script will run at the default interval of 60 seconds.

B.

The script will not be run.

C.

The script will be run only once for each time Splunk is restarted.

D.

The script will be run. As soon as the script exits, Splunk restarts it.

Question 23

In addition to single, non-clustered Splunk instances, what else can the deployment server push apps to?

Options:

A.

Universal forwarders

B.

Splunk Cloud

C.

Linux package managers

D.

Windows using WMI

Question 24

A user recently installed an application to index NCINX access logs. After configuring the application, they realize that no data is being ingested. Which configuration file do they need to edit to ingest the access logs to ensure it remains unaffected after upgrade?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 25

How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON

A)

B)

C)

D)

Options:

A.

option A

B.

Option B

C.

Option C

D.

Option D

Question 26

Which of the following describes a Splunk deployment server?

Options:

A.

A Splunk Forwarder that deploys data to multiple indexers.

B.

A Splunk app installed on a Splunk Enterprise server.

C.

A Splunk Enterprise server that distributes apps.

D.

A server that automates the deployment of Splunk Enterprise to remote servers.

Question 27

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

Options:

A.

License data

B.

Metricsdata

C.

Internal Splunk data

D.

Internal Windows logs

Question 28

Which of the following enables compression for universal forwarders in outputs. conf ?

A)

B)

C)

D)

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 29

Consider the following stanza in inputs.conf:

What will the value of the source filed be for events generated by this scripts input?

Options:

A.

/opt/splunk/ecc/apps/search/bin/liscer.sh

B.

unknown

C.

liscer

D.

liscer.sh

Question 30

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

Options:

A.

To ensure that hot buckets are still open for writes and have not been forced to roll to a cold state

B.

To ensure that configuration files have not been tampered with for auditing and/or legal purposes

C.

To ensure that user passwords have not been tampered with for auditing and/or legal purposes.

D.

To ensure that data has not been tampered with for auditing and/or legal purposes

Question 31

Which file will be matched for the following monitor stanza in inputs. conf?

[monitor: ///var/log/*/bar/*. txt]

Options:

A.

/var/log/host_460352847/temp/bar/file/csv/foo.txt

B.

/var/log/host_460352847/bar/foo.txt

C.

/var/log/host_460352847/bar/file/foo.txt

D.

/var/ log/ host_460352847/temp/bar/file/foo.txt

Question 32

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

Options:

A.

REGEX, DEST. FORMAT

B.

REGEX. SRC_KEY, FORMAT

C.

REGEX, DEST_KEY, FORMAT

D.

REGEX, DEST_KEY FORMATTING

Question 33

During search time, which directory of configuration files has the highest precedence?

Options:

A.

$SFLUNK_KOME/etc/system/local

B.

$SPLUNK_KCME/etc/system/default

C.

$SPLUNK_HCME/etc/apps/app1/local

D.

$SPLUNK HCME/etc/users/admin/local

Question 34

How do you remove missing forwarders from the Monitoring Console?

Options:

A.

By restarting Splunk.

B.

By rescanning active forwarders.

C.

By reloading the deployment server.

D.

By rebuilding the forwarder asset table.

Question 35

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Options:

A.

props.conf

B.

inputs.conf

C.

outputs.conf

D.

collections.conf

Question 36

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

Options:

A.

Indexer

B.

Deployer

C.

Forwarder

D.

Deployment server

Question 37

An admin oversees an environment with a 1000 GBI day license. The configuration file

server.conf has strict pool quota=false set. The license is divided into the following three pools, and today's usage is shown on the right-hand column:

PoolLicense SizeToday's usage

X500 GB/day100 GB

Y350 GB/day400 GB

Z150 GB/day300 GB

Given this, which pool(s) are issued warnings?

Options:

A.

All pools

B.

Z only

C.

None

D.

Y and Z

Question 38

What event-processing pipelines are used to process data for indexing? (select all that apply)

Options:

A.

fifo pipeline

B.

Indexing pipeline

C.

Parsing pipeline

D.

Typing pipeline

Question 39

What is required when adding a native user to Splunk? (select all that apply)

Options:

A.

Password

B.

Username

C.

Full Name

D.

Default app

Question 40

User role inheritance allows what to be inherited from the parent role? (select all that apply)

Options:

A.

Parents

B.

Capabilities

C.

Index access

D.

Search history

Question 41

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

Options:

A.

Index once.

B.

Monitor interval.

C.

On-demand monitor.

D.

Continuously monitor.

Question 42

Which of the following statements describe deployment management? (select all that apply)

Options:

A.

Requires an Enterprise license

B.

Is responsible for sending apps to forwarders.

C.

Once used, is the only way to manage forwarders

D.

Can automatically restart the host OS running the forwarder.

Question 43

Search heads in a company's European offices need to be able to search data in their New York offices. They also need to restrict access to certain indexers. What should be configured to allow this type of action?

Options:

A.

Indexer clustering

B.

LDAP control

C.

Distributed search

D.

Search head clustering

Question 44

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Options:

A.

admin

B.

power

C.

user

D.

splunk-system-role

Question 45

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

Options:

A.

_TCP_ROUTING

B.

_INDEXER_LIST

C.

_INDEXER_GROUP

D.

_INDEXER ROUTING

Question 46

Which Splunk component(s) would break a stream of syslog inputs into individual events? (select all that apply)

Options:

A.

Universal Forwarder

B.

Search head

C.

Heavy Forwarder

D.

Indexer

Question 47

Consider a company with a Splunk distributed environment in production. The Compliance Department wants to start using Splunk; however, they want to ensure that no one can see their reports or any other knowledge objects. Which Splunk Component can be added to implement this policy for the new team?

Options:

A.

Indexer

B.

Deployment server

C.

Universal forwarder

D.

Search head

Question 48

Which of the following is a valid method to create a Splunk user?

Options:

A.

Create a support ticket.

B.

Create a user on the host operating system.

C.

Splunk REST API.

D.

Add the username to users. conf.

Question 49

Which of the following types of data count against the license daily quota?

Options:

A.

Replicated data

B.

splunkd logs

C.

Summary index data

D.

Windows internal logs

Question 50

Which feature of Splunk’s role configuration can be used to aggregate multiple roles intended for groups of

users?

Options:

A.

Linked roles

B.

Grantable roles

C.

Role federation

D.

Role inheritance

Question 51

What is the command to reset the fishbucket for one source?

Options:

A.

rm -r ~/splunkforwarder/var/lib/splunk/fishbucket

B.

splunk clean eventdata -index _thefishbucket

C.

splunk cmd btprobe -d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file --reset

D.

splunk btool fishbucket reset

Question 52

What is the correct order of steps in Duo Multifactor Authentication?

Options:

A.

1 Request Login

2. Connect to SAML server

3 Duo MFA

4 Create User session

5 Authentication Granted 6. Log into Splunk

B.

1. Request Login 2 Duo MFA

3. Authentication Granted 4 Connect to SAML server

5. Log into Splunk

6. Create User session

C.

1 Request Login

2 Check authentication / group mapping

3 Authentication Granted

4. Duo MFA

5. Create User session

6. Log into Splunk

D.

1 Request Login 2 Duo MFA

3. Check authentication / group mapping

4 Create User session

5. Authentication Granted

6 Log into Splunk

Question 53

Where should apps be located on the deployment server that the clients pull from?

Options:

A.

$SFLUNK_KOME/etc/apps

B.

$SPLUNK_HCME/etc/sear:ch

C.

$SPLUNK_HCME/etc/master-apps

D.

$SPLUNK HCME/etc/deployment-apps

Question 54

To set up a Network input in Splunk, what needs to be specified'?

Options:

A.

File path.

B.

Username and password

C.

Network protocol and port number.

D.

Network protocol and MAC address.

Question 55

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

Options:

A.

Disk

B.

CPUs

C.

Memory

D.

Network interface cards

Page: 1 / 19
Total 185 questions