March Sale Special - 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: c4sdisc65

SPLK-1003 PDF

$38.5

$109.99

3 Months Free Update

  • Printable Format
  • Value of Money
  • 100% Pass Assurance
  • Verified Answers
  • Researched by Industry Experts
  • Based on Real Exams Scenarios
  • 100% Real Questions

SPLK-1003 PDF + Testing Engine

$61.6

$175.99

3 Months Free Update

  • Exam Name: Splunk Enterprise Certified Admin
  • Last Update: Mar 28, 2024
  • Questions and Answers: 174
  • Free Real Questions Demo
  • Recommended by Industry Experts
  • Best Economical Package
  • Immediate Access

SPLK-1003 Engine

$46.2

$131.99

3 Months Free Update

  • Best Testing Engine
  • One Click installation
  • Recommended by Teachers
  • Easy to use
  • 3 Modes of Learning
  • State of Art Technology
  • 100% Real Questions included

SPLK-1003 Splunk Enterprise Certified Admin Questions and Answers

Question # 6

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

A.

diskQueueSize

B.

durableQueueSize

C persistentOueueSize

C.

queueSize

Full Access
Question # 7

When indexing a data source, which fields are considered metadata?

A.

source, host, time

B.

time, sourcetype, source

C.

host, raw, sourcetype

D.

sourcetype, source, host

Full Access
Question # 8

What is the correct order of steps in Duo Multifactor Authentication?

A.

1 Request Login

2. Connect to SAML server

3 Duo MFA

4 Create User session

5 Authentication Granted 6. Log into Splunk

B.

1. Request Login 2 Duo MFA

3. Authentication Granted 4 Connect to SAML server

5. Log into Splunk

6. Create User session

C.

1 Request Login

2 Check authentication / group mapping

3 Authentication Granted

4. Duo MFA

5. Create User session

6. Log into Splunk

D.

1 Request Login 2 Duo MFA

3. Check authentication / group mapping

4 Create User session

5. Authentication Granted

6 Log into Splunk

Full Access
Question # 9

A configuration file in a deployed app needs to be directly edited. Which steps would ensure a successful deployment to clients?

A.

Make the change in $SPLUNK HOME/etc/dep10yment apps/$appName/10ca1/ on the deployment server, and the change will be automatically sent to the deployment clients.

B.

Make the change in $SPLUNK HOME /etc/apps/$appname/local/ on any of the deployment clients, and then run the command . / splunk reload deploy-server to push that change to the deployment server.

C.

Make the change in $SPLUNK HOME/etc/dep10yment apps/$appName/10ca1/ on the deployment server, and then run $SPLUNK HOME/bin/sp1unk reload deploy—server.

D.

Make the change in $SPLUNK HOME/etc/apps/$appName/defau1t on the deployment server, and it will be distributed down to the clients' own local versions.

Full Access
Question # 10

Which of the following is a benefit of distributed search?

A.

Peers run search in sequence.

B.

Peers run search in parallel.

C.

Resilience from indexer failure.

D.

Resilience from search head failure.

Full Access
Question # 11

Which additional component is required for a search head cluster?

A.

Deployer

B.

Cluster Master

C.

Monitoring Console

D.

Management Console

Full Access
Question # 12

How do you remove missing forwarders from the Monitoring Console?

A.

By restarting Splunk.

B.

By rescanning active forwarders.

C.

By reloading the deployment server.

D.

By rebuilding the forwarder asset table.

Full Access
Question # 13

How often does Splunk recheck the LDAP server?

A.

Every 5 minutes

B.

Each time a user logs in

C.

Each time Splunk is restarted

D.

Varies based on LDAP_refresh setting.

Full Access
Question # 14

Immediately after installation, what will a Universal Forwarder do first?

A.

Automatically detect any indexers in its subnet and begin routing data.

B.

Begin reading local files on its server.

C.

Begin generating internal Splunk logs.

D.

Send an email to the operator that the installation process has completed.

Full Access
Question # 15

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

A.

CLI

B.

Edit inputs . conf

C.

Edit forwarder.conf

D.

Forwarder Management

Full Access
Question # 16

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

A.

admin

B.

power

C.

user

D.

splunk-system-role

Full Access
Question # 17

Which setting allows the configuration of Splunk to allow events to span over more than one line?

A.

SHOULD_LINEMERGE = true

B.

BREAK_ONLY_BEFORE_DATE = true

C.

BREAK_ONLY_BEFORE =

D.

SHOULD_LINEMERGE = false

Full Access
Question # 18

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

A.

A token-based HTTP input that is secure and scalable and that requires the use of forwarders

B.

A token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

C.

An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

D.

A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Full Access
Question # 19

What is the correct example to redact a plain-text password from raw events?

A.

in props.conf:

[identity]

REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

B.

in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

C.

in transforms.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

D.

in transforms.conf:

[identity]

REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Full Access
Question # 20

Which parent directory contains the configuration files in Splunk?

A.

SSFLUNK_HOME/etc

B.

SSPLUNK_HOME/var

C.

SSPLUNK_HOME/conf

D.

SSPLUNK_HOME/default

Full Access
Question # 21

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

A.

_audit

B.

_checkpoint

C.

_introspection

D.

_thefishbucket

Full Access
Question # 22

What conf file needs to be edited to set up distributed search groups?

A.

props.conf

B.

search.conf

C.

distsearch.conf

D.

distibutedsearch.conf

Full Access
Question # 23

Which of the following statements describes how distributed search works?

A.

Forwarders pull data from the search peers.

B.

Search heads store a portion of the searchable data.

C.

The search head dispatches searches to the search peers.

D.

Search results are replicated within the indexer cluster.

Full Access
Question # 24

Which of the following monitor inputs stanza headers would match all of the following files?

/var/log/www1/secure.log

/var/log/www/secure.l

/var/log/www/logs/secure.logs

/var/log/www2/secure.log

A.

[monitor:///var/log/.../secure.*

B.

[monitor:///var/log/www1/secure.*]

C.

[monitor:///var/log/www1/secure.log]

D.

[monitor:///var/log/www*/secure.*]

Full Access
Question # 25

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

A.

Disk

B.

CPUs

C.

Memory

D.

Network interface cards

Full Access
Question # 26

What is the valid option for a [monitor] stanza in inputs.conf?

A.

enabled

B.

datasource

C.

server_name

D.

ignoreOlderThan

Full Access
Question # 27

What is an example of a proper configuration for CHARSET within props.conf?

A.

[host: : server. splunk. com]

CHARSET = BIG5

B.

[index: :main]

CHARSET = BIG5

C.

[sourcetype: : son]

CHARSET = BIG5

D.

[source: : /var/log/ splunk]

CHARSET = BIG5

Full Access
Question # 28

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?

A.

Update the user in Splunk web informing them that the results of their search may be incomplete.

B.

Repeat the search request on indexer B without informing the user.

C.

Update the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.

D.

Inform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

Full Access
Question # 29

Which setting in indexes. conf allows data retention to be controlled by time?

A.

maxDaysToKeep

B.

moveToFrozenAfter

C.

maxDataRetentionTime

D.

frozenTimePeriodlnSecs

Full Access
Question # 30

Which of the following is valid distribute search group?

A)

SPLK-1003 question answer

B)

SPLK-1003 question answer

C)

SPLK-1003 question answer

D)

SPLK-1003 question answer

A.

option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 31

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

A.

Indexers, search head, universal forwarders, license master

B.

Indexers, search head, deployment server, universal forwarders

C.

Indexers, search head, deployment server, license master, universal forwarder

D.

Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Full Access
Question # 32

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

A.

Any OS platform

B.

Linux platform only

C.

Windows platform only.

D.

None of the above.

Full Access
Question # 33

Which of the following applies only to Splunk index data integrity check?

A.

Lookup table

B.

Summary Index

C.

Raw data in the index

D.

Data model acceleration

Full Access
Question # 34

Which Splunk component does a search head primarily communicate with?

A.

Indexer

B.

Forwarder

C.

Cluster master

D.

Deployment server

Full Access
Question # 35

What is a role in Splunk? (select all that apply)

A.

A classification that determines what capabilities a user has.

B.

A classification that determines if a Splunk server can remotely control another Splunk server.

C.

A classification that determines what functions a Splunk server controls.

D.

A classification that determines what indexes a user can search.

Full Access
Question # 36

Which of the following are reasons to create separate indexes? (Choose all that apply.)

A.

Different retention times.

B.

Increase number of users.

C.

Restrict user permissions.

D.

File organization.

Full Access
Question # 37

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

A.

channelTTL

B.

connectionTimeout

C.

autoLBFrequency

D.

secsInFailurelnterval

Full Access
Question # 38

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

A.

Slash notation

B.

Regular expression

C.

Irregular expression

D.

Wildcard-only expression

Full Access
Question # 39

What will the following inputs. conf stanza do?

[script://myscript . sh]

Interval=0

A.

The script will run at the default interval of 60 seconds.

B.

The script will not be run.

C.

The script will be run only once for each time Splunk is restarted.

D.

The script will be run. As soon as the script exits, Splunk restarts it.

Full Access
Question # 40

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

A.

Blacklist

B.

Whitelist

C.

They cancel each other out.

D.

Whichever is entered into the configuration first.

Full Access
Question # 41

Which of the following are supported options when configuring optional network inputs?

A.

Metadata override, sender filtering options, network input queues (quantum queues)

B.

Metadata override, sender filtering options, network input queues (memory/persistent queues)

C.

Filename override, sender filtering options, network output queues (memory/persistent queues)

D.

Metadata override, receiver filtering options, network input queues (memory/persistent queues)

Full Access
Question # 42

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list —debug. What will the output be?

A.

list of all the configurations on-disk that Splunk contains.

B.

A verbose list of all configurations as they were when splunkd started.

C.

A list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

D.

A list of the current running props, conf configurations along with a file path from which the configuration was made

Full Access
Question # 43

In addition to single, non-clustered Splunk instances, what else can the deployment server push apps to?

A.

Universal forwarders

B.

Splunk Cloud

C.

Linux package managers

D.

Windows using WMI

Full Access
Question # 44

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

A.

Map Users

B.

Map Groups

C.

Map LDAP Inheritance

D.

Map LDAP to Active Directory

Full Access
Question # 45

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

A.

Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

B.

Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

C.

Allows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

D.

Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Full Access
Question # 46

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

A.

Deployer

B.

Cluster master

C.

Deployment server

D.

Search head cluster master

Full Access
Question # 47

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

A.

Universal Coordinated Time.

B.

The timezone of the search head.

C.

The timezone of the indexer that indexed the event.

D.

The timezone of the forwarder.

Full Access
Question # 48

What is the name of the object that stores events inside of an index?

A.

Container

B.

Bucket

C.

Data layer

D.

Indexer

Full Access
Question # 49

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

A.

App Class

B.

Client Class

C.

Server Class

D.

Forwarder Class

Full Access
Question # 50

What options are available when creating custom roles? (select all that apply)

A.

Restrict search terms

B.

Whitelist search terms

C.

Limit the number of concurrent search jobs

D.

Allow or restrict indexes that can be searched.

Full Access
Question # 51

Which forwarder type can parse data prior to forwarding?

A.

Universal forwarder

B.

Heaviest forwarder

C.

Hyper forwarder

D.

Heavy forwarder

Full Access
Question # 52

How is data handled by Splunk during the input phase of the data ingestion process?

A.

Data is treated as streams.

B.

Data is broken up into events.

C.

Data is initially written to disk.

D.

Data is measured by the license meter.

Full Access
Question # 53

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

A.

If Splunk is restarted, data will be queued and then sent when Splunk has restarted.

B.

Local firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

C.

The host value associated with data received will be the IP address that sent the data.

D.

If Splunk is restarted, data may be lost.

Full Access
Question # 54

What is the default value ofLINE_BREAKER?

A.

\r\n

B.

([\r\n]+)

C.

\r+\n+

D.

(\r\n+)

Full Access