Pre-Summer Sale Special - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Splunk > Splunk Enterprise Certified Admin > SPLK-1003

SPLK-1003 Splunk Enterprise Certified Admin Question and Answers

Question # 4

How is a remote monitor input distributed to forwarders?

A.

As an app.

B.

As a forward.conf file.

C.

As a monitor.conf file.

D.

As a forwarder monitor profile.

Full Access
Question # 5

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

A.

Deployer

B.

Cluster master

C.

Deployment server

D.

Search head cluster master

Full Access
Question # 6

What is the valid option for a [monitor] stanza in inputs.conf?

A.

enabled

B.

datasource

C.

server_name

D.

ignoreOlderThan

Full Access
Question # 7

Which valid bucket types are searchable? (select all that apply)

A.

Hot buckets

B.

Cold buckets

C.

Warm buckets

D.

Frozen buckets

Full Access
Question # 8

Which setting allows the configuration of Splunk to allow events to span over more than one line?

A.

SHOULD_LINEMERGE = true

B.

BREAK_ONLY_BEFORE_DATE = true

C.

BREAK_ONLY_BEFORE = < REGEX pattern >

D.

SHOULD_LINEMERGE = false

Full Access
Question # 9

What is the correct attribute to set in inputs.conf in order to have data sent to a particular indexer group?

A.

_SPLUNKDB_ROUTING

B.

_TCP_ROUTING

C.

_UDF_ROUTING

D.

_INGEST_ROUTING

Full Access
Question # 10

Which of the following describes a Splunk deployment server?

A.

A Splunk Forwarder that deploys data to multiple indexers.

B.

A Splunk app installed on a Splunk Enterprise server.

C.

A Splunk Enterprise server that distributes apps.

D.

A server that automates the deployment of Splunk Enterprise to remote servers.

Full Access
Question # 11

Consider the following stanza ininputs.conf:

What will the value of the source filed be for events generated by this scripts input?

A.

/opt/splunk/ecc/apps/search/bin/liscer.sh

B.

unknown

C.

liscer

D.

liscer.sh

Full Access
Question # 12

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

A.

Blacklist

B.

Whitelist

C.

They cancel each other out.

D.

Whichever is entered into the configuration first.

Full Access
Question # 13

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

A.

It does not encrypt the certificate password.

B.

SSL automatically compresses the feed by default.

C.

It requires that the forwarder be set to compressed=true.

D.

It requires that the receiver be set to compression=true.

Full Access
Question # 14

Which of the following is an acceptable channel value when using the HTTP Event Collector indexer acknowledgment capability?

A.

GUID

B.

DNS

C.

Hash Checksum

D.

IP Address

Full Access
Question # 15

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

A.

True

B.

False

C.

< regex string >

D.

Newline Character

Full Access
Question # 16

In which phase do indexed extractions in props.conf occur?

A.

Inputs phase

B.

Parsing phase

C.

Indexing phase

D.

Searching phase

Full Access
Question # 17

Which scenario is applicable given the stanzas in authentication.conf below?

[authentication]

externalTwoFactorAuthVendor = Duo

externalTwoFactorAuthSettings = duoMFA

[duoMFA]

integrationKey = aGFwcHliaXJ0aGRheU1pZGR5

secretKey = YXVzdHJhaWxpYW5Gb3JHcmVw

applicationKey = c3BsaW5raW5ndGhlcGx1bWJ1c3NpbmN1OTU

apiHostname = 466993018.duosecurity.com

failOpen = True

timeout = 60

A.

If Splunk cannot connect to the multifactor authentication provider, all logins will be denied.

B.

Multifactor authentication is required to log into the host operating system.

C.

The secretKey does not need to be protected since multifactor authentication is turned on.

D.

If Splunk cannot connect to the multifactor authentication provider, authentications will be successful without completing a multifactor challenge.

Full Access
Question # 18

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

A.

Use Local Windows host monitoring.

B.

Use Windows Remote Inputs with WMI.

C.

Use Local Windows network monitoring.

D.

Use an index with an Index Data Type of Metrics.

Full Access
Question # 19

Where are license files stored?

A.

$SPLUNK_HOME/etc/secure

B.

$SPLUNK_HOME/etc/system

C.

$SPLUNK_HOME/etc/licenses

D.

$SPLUNK_HOME/etc/apps/licenses

Full Access
Question # 20

Which of the following are methods for adding inputs in Splunk? (select all that apply)

A.

CLI

B.

Splunk Web

C.

Editing inputs. conf

D.

Editing monitor. conf

Full Access
Question # 21

Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

A.

It requires a separate channel provided by the client.

B.

It is configured the same as indexer acknowledgement used to protect in-flight data.

C.

It can be enabled at the global setting level.

D.

It stores status information on the Splunk server.

Full Access
Question # 22

What is the importance of modifying Transparent Huge Pages (THP) and ulimit settings when installing Splunk Enterprise?

A.

To allow maximum performance only in virtualized environments.

B.

To align to best practices that reduce latency and maintain indexing and search performance.

C.

To allow bare-minimum compatibility with Linux and Splunk Enterprise.

D.

To minimize latency only within the indexing layer of Splunk environments.

Full Access
Question # 23

Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as

follows: 123-44-5678.

Which configuration file and stanza pair will mask possible SSNs in the log events?

A.

props.conf[mask-SSN]REX = (?ms)^(.)\ < [SSN > \d{3}-?\d{2}-?(\d{4}.*)$ " FORMAT = $1 < SSN > ###-##-$2KEY = _raw

B.

props.conf[mask-SSN]REGEX = (?ms)^(.)\ < [SSN > \d{3}-?\d{2}-?(\d{4}.*)$ " FORMAT = $1 < SSN > ###-##-$2DEST_KEY = _raw

C.

transforms.conf[mask-SSN]REX = (?ms)^(.)\ < [SSN > \d{3}-?\d{2}-?(\d{4}.*)$ " FORMAT = $1 < SSN > ###-##-$2DEST_KEY = _raw

D.

transforms.conf[mask-SSN]REGEX = (?ms)^(.)\ < [SSN > \d{3}-?\d{2}-?(\d{4}.*)$ " FORMAT = $1 < SSN > ###-##-$2DEST_KEY = _raw

Full Access
Question # 24

In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?

A.

services/ collector

B.

services/ inputs ? raw

C.

services/ data/ collector

D.

data/ collector

Full Access
Question # 25

What is the correct curl to send multiple events through HTTP Event Collector?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 26

Which Splunk component requires a Forwarder license?

A.

Search head

B.

Heavy forwarder

C.

Heaviest forwarder

D.

Universal forwarder

Full Access
Question # 27

There is a file with a vast amount of old data. Which of the following inputs.conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?

A.

IgnoreOlderThan

B.

allowList

C.

monitor

D.

followTail

Full Access
Question # 28

What are the minimum required settings when creating a network input in Splunk?

A.

Protocol, port number

B.

Protocol, port, location

C.

Protocol, username, port

D.

Protocol, IP. port number

Full Access
Question # 29

Where are deployment server apps mapped to clients?

A.

Apps tab in forwarder management interface or clientapps.conf.

B.

Clients tab in forwarder management interface or deploymentclient.conf.

C.

Server Classes tab in forwarder management interface or serverclass.conf.

D.

Client Applications tab in forwarder management interface or clientapps.conf.

Full Access
Question # 30

Which is a valid stanza for a network input?

A.

[udp://172.16.10.1:9997]connection = dnssourcetype = dns

B.

[any://172.16.10.1:10001]connection_host = ipsourcetype = web

C.

[tcp://172.16.10.1:9997]connection_host = websourcetype = web

D.

[tcp://172.16.10.1:10001]connection_host = dnssourcetype = dn s

Full Access
Question # 31

A request has been made to restrict lookup files up to 500 megabytes for replication . Anything larger should not be replicated . Which of the following parameters provides the correct control for this scenario?

A.

maxBundleSize

B.

maxMemoryBundleSize

C.

excludeReplicatedLookupSize

D.

includeReplicatedLookupSize

Full Access
Question # 32

Which of the following methods will connect a deployment client to a deployment server? (select all that apply)

A.

Run $SPLUNK_ROME/bin/ splunk set deploy-poll : from the command line of the deployment client.

B.

Create and edit a deploymentserver . conf file in SSPLVNE{ on the deployment server.

C.

Create and edit a deploymentclient . conf file in SSPLTJNE( EOME/etc/ system/local on the deployment client.

D.

Run $SPLUNK ROME/bin/spiunk set deploy-poi i : from the command line of the deployment server.

Full Access
Question # 33

Where should apps be located on the deployment server that the clients pull from?

A.

$SFLUNK_KOME/etc/apps

B.

$SPLUNK_HCME/etc/sear:ch

C.

$SPLUNK_HCME/etc/master-apps

D.

$SPLUNK HCME/etc/deployment-apps

Full Access
Question # 34

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

A.

Universal Coordinated Time.

B.

The timezone of the search head.

C.

The timezone of the indexer that indexed the event.

D.

The timezone of the forwarder.

Full Access
Question # 35

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

A.

followTail = -45d

B.

ignore = 45d

C.

includeNewerThan = -35d

D.

ignoreOlderThan = 45d

Full Access
Question # 36

How can native authentication be disabled in Splunk?

A.

Remove the $SPLUNK_HOME/etc/passwd file

B.

Create an empty $SPLUNK_HOME/etc/passwd file

C.

Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf

D.

Set nativeAuthentication=false in authentication.conf

Full Access
Question # 37

How do you remove missing forwarders from the Monitoring Console?

A.

By restarting Splunk.

B.

By rescanning active forwarders.

C.

By reloading the deployment server.

D.

By rebuilding the forwarder asset table.

Full Access
Question # 38

A user recently installed an application to index NCINX access logs. After configuring the application, they realize that no data is being ingested. Which configuration file do they need to edit to ingest the access logs to ensure it remains unaffected after upgrade?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 39

Which of the following applies only to Splunk index data integrity check?

A.

Lookup table

B.

Summary Index

C.

Raw data in the index

D.

Data model acceleration

Full Access
Question # 40

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

A.

Default app

B.

LDAP group

C.

Password

D.

Username

Full Access
Question # 41

A configuration file in a deployed app needs to be directly edited. Which steps would ensure a successful deployment to clients?

A.

Make the change in $SPLUNK HOME/etc/dep10yment apps/$appName/10ca1/ on the deployment server, and the change will be automatically sent to the deployment clients.

B.

Make the change in $SPLUNK HOME /etc/apps/$appname/local/ on any of the deployment clients, and then run the command . / splunk reload deploy-server to push that change to the deployment server.

C.

Make the change in $SPLUNK HOME/etc/dep10yment apps/$appName/10ca1/ on the deployment server, and then run $SPLUNK HOME/bin/sp1unk reload deploy—server.

D.

Make the change in $SPLUNK HOME/etc/apps/$appName/defau1t on the deployment server, and it will be distributed down to the clients ' own local versions.

Full Access
Question # 42

In inputs. conf, which stanza would mean Splunk was only reading one local file?

A.

[read://opt/log/crashlog/Jan27crash.txt]

B.

[monitor::/ opt/log/crashlog/Jan27crash.txt]

C.

[monitor:/// opt/log/]

D.

[monitor:/// opt/log/ crashlog/Jan27crash.txt]

Full Access
Question # 43

Which of the following lists the three phases of the Splunk Indexing process in order?

A.

Ingest phaseLicensing phaseParsing phase

B.

Sourcetype phaseIndex phaseWrite-to-disk phase

C.

Input phaseParsing phaseIndexing phase

D.

Ingest phaseTransforming phaseIndexing phase

Full Access
Question # 44

What is required when adding a native user to Splunk? (select all that apply)

A.

Password

B.

Username

C.

Full Name

D.

Default app

Full Access
Question # 45

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

A.

Duo Administrator

B.

LDAP Administrator

C.

SAML Administrator

D.

Trio Administrator

Full Access
Question # 46

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A.

90 days

B.

60 days

C.

7 days

D.

14 days

Full Access
Question # 47

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

A.

splunk btool server list --debug

B.

splunk list forward-indexer

C.

splunk list forward-server

D.

splunk btool indexes list --debug

Full Access
Question # 48

What is the correct example to redact a plain-text password from raw events?

A.

in props.conf:[identity]REGEX-redact_pw = s/password=([^,|/s] +)/ ####REACTED####/g

B.

in props.conf:[identity]SEDCMD-redact_pw = s/password=([^,|/s] +)/ ####REACTED####/g

C.

in transforms.conf:[identity]SEDCMD-redact_pw = s/password=([^,|/s] +)/ ####REACTED####/g

D.

in transforms.conf:[identity]REGEX-redact_pw = s/password=([^,|/s] +)/ ####REACTED####/g

Full Access
Question # 49

A user is assigned two roles with the following search filters. What is the user ' s applied search filter?

A.

B.

B.

C.

C.

D.

D.

Full Access
Question # 50

Which Splunk component would one use to perform line breaking prior to indexing?

A.

Heavy Forwarder

B.

Universal Forwarder

C.

Search head

D.

This can only be done at the indexing layer.

Full Access
Question # 51

Which feature of Splunk’s role configuration can be used to aggregate multiple roles intended for groups of

users?

A.

Linked roles

B.

Grantable roles

C.

Role federation

D.

Role inheritance

Full Access
Question # 52

A security team needs to ingest a static file for a specific incident. The log file has not been collected previously and future updates to the file must not be indexed.

Which command would meet these needs?

A.

splunk add one shot / opt/ incident [data .log —index incident

B.

splunk edit monitor /opt/incident/data.* —index incident

C.

splunk add monitor /opt/incident/data.log —index incident

D.

splunk edit oneshot [opt/ incident/data.* —index incident

Full Access
Question # 53

Which parent directory contains the configuration files in Splunk?

A.

SSFLUNK_HOME/etc

B.

SSPLUNK_HOME/var

C.

SSPLUNK_HOME/conf

D.

SSPLUNK_HOME/default

Full Access
Question # 54

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

A.

Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

B.

Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

C.

Allows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

D.

Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Full Access
Question # 55

When indexing a data source, which fields are considered metadata?

A.

source, host, time

B.

time, sourcetype, source

C.

host, raw, sourcetype

D.

sourcetype, source, host

Full Access
Question # 56

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

A.

host

B.

index

C.

linecount

D.

splunk_server

Full Access
Question # 57

Windows can prevent a Splunk forwarder from reading open files. If files need to be read while they are being written to, what type of input stanza needs to be created?

A.

Tail Reader

B.

Upload

C.

MonitorNoHandIe

D.

Monitor

Full Access
Question # 58

A Universal Forwarder is monitoring a very active syslog stream and as a result is unable to switch between destinations. How would an admin safely remediate this issue?

A.

Configure and enable the LINE_BREAKER on the forwarder.

B.

Configure useAck on the forwarder.

C.

Configure forceTimebasedAutoLB on the forwarder.

D.

Configure and enable the FVFNT BREAKER on the forwarder.

Full Access
Question # 59

Given a forwarder with the following outputs.conf configuration:

[tcpout : mypartner]

Server = 145.188.183.184:9097

[tcpout : hfbank]

server = inputsl . mysplunkhfs . corp : 9997 , inputs2 . mysplunkhfs . corp : 9997

Which of the following is a true statement?

A.

Data will continue to flow to hfbank if 145.1 ga. 183.184 : 9097 is unreachable.

B.

Data is not encrypted to mypartner because 145.188 .183.184 : 9097 is specified by IP.

C.

Data is encrypted to mypartner because 145.183.184 : 9097 is specified by IP.

D.

Data will eventually stop flowing everywhere if 145.188.183.184 : 9097 is unreachable.

Full Access
Question # 60

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

A.

_audit

B.

_checkpoint

C.

_introspection

D.

_thefishbucket

Full Access
Question # 61

Local user accounts created in Splunk store passwords in which file?

A.

$ SFLUNK_HOME/etc/passwd

B.

$ SFLUNK_HOME/etc/authentication

C.

$ S?LUNK_HOME/etc/users/passwd.conf

D.

$ SPLUNK HOME/etc/users/authentication.conf

Full Access