Splunk Enterprise Certified Admin Exam Question and Answers

Splunk Enterprise Certified Admin Exam

Last Update May 2, 2024
Total Questions : 174

We are offering FREE SPLK-1003 Splunk exam questions. All you do is to just go and sign up. Give your details, prepare SPLK-1003 free exam questions and then go for complete pool of Splunk Enterprise Certified Admin Exam test questions that will help you more.

SPLK-1003 PDF

$35 ~~$99.99~~

Add to Cart

SPLK-1003 Testing Engine

$42 ~~$119.99~~

Add to Cart

SPLK-1003 PDF + Testing Engine

$56 ~~$159.99~~

Add to Cart

Questions 1

What is the name of the object that stores events inside of an index?

Options:

Container

Bucket

Data layer

Indexer

Discussion 0

Questions 2

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

Options:

A token-based HTTP input that is secure and scalable and that requires the use of forwarders

A token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Discussion 0

Questions 3

Windows can prevent a Splunk forwarder from reading open files. If files need to be read while they are being written to, what type of input stanza needs to be created?

Options:

Tail Reader

Upload

MonitorNoHandIe

Monitor

Discussion 0

Questions 4

Which is a valid stanza for a network input?

Options:

[udp://172.16.10.1:9997]

connection = dns

sourcetype = dns

[any://172.16.10.1:10001]

connection_host = ip

sourcetype = web

[tcp://172.16.10.1:9997]

connection_host = web

sourcetype = web

[tcp://172.16.10.1:10001]

connection_host = dns

sourcetype = dns

Discussion 0

Questions 5

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

Options:

Slash notation

Regular expression

Irregular expression

Wildcard-only expression

Discussion 0

Questions 6

Which of the following is the use case for the deployment server feature of Splunk?

Options:

Managing distributed workloads in a Splunk environment.

Automating upgrades of Splunk forwarder installations on endpoints.

Orchestrating the operations and scale of a containerized Splunk deployment.

Updating configuration and distributing apps to processing components, primarily forwarders.

Discussion 0

Questions 7

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

Options:

Indexer

Forwarder

Search head

Deployment server

Discussion 0

Questions 8

Which of the following apply to how distributed search works? (select all that apply)

Options:

The search head dispatches searches to the peers

The search peers pull the data from the forwarders.

Peers run searches in parallel and return their portion of results.

The search head consolidates the individual results and prepares reports

Discussion 0

Questions 9

Local user accounts created in Splunk store passwords in which file?

Options:

$ SFLUNK_HOME/etc/passwd

$ SFLUNK_HOME/etc/authentication

$ S?LUNK_HOME/etc/users/passwd.conf

$ SPLUNK HOME/etc/users/authentication.conf

Discussion 0

Questions 10

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

Options:

Indexers, search head, universal forwarders, license master

Indexers, search head, deployment server, universal forwarders

Indexers, search head, deployment server, license master, universal forwarder

Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Discussion 0

Questions 11

Which forwarder is recommended by Splunk to use in a production environment?

Options:

Heavy forwarder

SSL forwarder

Lightweight forwarder

Universal forwarder

Discussion 0

Questions 12

Which of the following is a benefit of distributed search?

Options:

Peers run search in sequence.

Peers run search in parallel.

Resilience from indexer failure.

Resilience from search head failure.

Discussion 0

Questions 13

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Options:

index=main

index=test

index=summary

index=_internal

Discussion 0

Questions 14

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

Options:

Create one outputs . conf file for each of the server addresses in the indexing tier.

Configure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

Splunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

Set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Discussion 0

Questions 15

Which of the following applies only to Splunk index data integrity check?

Options:

Lookup table

Summary Index

Raw data in the index

Data model acceleration

Discussion 0

Questions 16

Which of the following are reasons to create separate indexes? (Choose all that apply.)

Options:

Different retention times.

Increase number of users.

Restrict user permissions.

File organization.

Discussion 0

Questions 17

Which parent directory contains the configuration files in Splunk?

Options:

SSFLUNK_HOME/etc

SSPLUNK_HOME/var

SSPLUNK_HOME/conf

SSPLUNK_HOME/default

Discussion 0

Questions 18

What are the values forhostandindexfor[stanza1]used by Splunk during index time, given the following configuration files?

Options:

host=server1

index=unixinfo

host=server1

index=searchinfo

host=searchsvr1

index=searchinfo

host=unixsvr1

index=unixinfo

Discussion 0

Questions 19

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

Options:

True

False

Newline Character

Discussion 0

Questions 20

How can native authentication be disabled in Splunk?

Options:

Remove the $SPLUNK_HOME/etc/passwd file

Create an empty $SPLUNK_HOME/etc/passwd file

Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf

Set nativeAuthentication=false in authentication.conf

Discussion 0

Questions 21

When does a warm bucket roll over to a cold bucket?

Options:

When Splunk is restarted.

When the maximum warm bucket age has been reached.

When the maximum warm bucket size has been reached.

When the maximum number of warm buckets is reached.

Discussion 0

Questions 22

A user recently installed an application to index NCINX access logs. After configuring the application, they realize that no data is being ingested. Which configuration file do they need to edit to ingest the access logs to ensure it remains unaffected after upgrade?

Options:

Option A

Option B

Option C

Option D

Discussion 0

Questions 23

Which of the following is a valid distributed search group?

Options:

[distributedSearch:Paris] default = false servers = server1, server2

[searchGroup:Paris] default = false servers = server1:8089, server2:8089

[searchGroup:Paris] default = false servers = server1:9997, server2:9997

[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Discussion 0

Questions 24

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

Options:

Indexer

Deployer

Forwarder

Deployment server

Discussion 0

Questions 25

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

Options:

CLI

Edit inputs . conf

Edit forwarder.conf

Forwarder Management

Discussion 0

Questions 26

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

Options:

_audit

_checkpoint

_introspection

_thefishbucket

Discussion 0

Questions 27

A security team needs to ingest a static file for a specific incident. The log file has not been collected previously and future updates to the file must not be indexed.

Which command would meet these needs?

Options:

splunk add one shot / opt/ incident [data .log —index incident

splunk edit monitor /opt/incident/data.* —index incident

splunk add monitor /opt/incident/data.log —index incident

splunk edit oneshot [opt/ incident/data.* —index incident

Discussion 0

Questions 28

Which of the following are supported options when configuring optional network inputs?

Options:

Metadata override, sender filtering options, network input queues (quantum queues)

Metadata override, sender filtering options, network input queues (memory/persistent queues)

Filename override, sender filtering options, network output queues (memory/persistent queues)

Metadata override, receiver filtering options, network input queues (memory/persistent queues)

Discussion 0

Questions 29

When running a real-time search, search results are pulled from which Splunk component?

Options:

Heavy forwarders and search peers

Heavy forwarders

Search heads

Search peers

Discussion 0

Questions 30

What type of Splunk license is pre-selected in a brand new Splunk installation?

Options:

Free license

Forwarder license

Enterprise trial license

Enterprise license

Discussion 0

Questions 31

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

Options:

Disk

CPUs

Memory

Network interface cards

Discussion 0

Questions 32

UsingSEDCMDinprops.confallows raw data to be modified. With the given event below, which option will mask the first three digits of theAcctIDfield resulting output:[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

Event:

[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

Options:

SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g

SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g

SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g

SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

Discussion 0

Questions 33

Which additional component is required for a search head cluster?

Options:

Deployer

Cluster Master

Monitoring Console

Management Console

Discussion 0

Questions 34

What are the minimum required settings when creating a network input in Splunk?

Options:

Protocol, port number

Protocol, port, location

Protocol, username, port

Protocol, IP. port number

Discussion 0

Questions 35

What will the following inputs. conf stanza do?

[script://myscript . sh]

Interval=0

Options:

The script will run at the default interval of 60 seconds.

The script will not be run.

The script will be run only once for each time Splunk is restarted.

The script will be run. As soon as the script exits, Splunk restarts it.

Discussion 0

Questions 36

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

Options:

Upload option

Forward option

Monitor option

Download option

Discussion 0

Questions 37

Which of the following are required when defining an index in indexes. conf? (select all that apply)

Options:

coldPath

homePath

frozenPath

thawedPath

Discussion 0

Questions 38

What is the command to reset the fishbucket for one source?

Options:

rm -r ~/splunkforwarder/var/lib/splunk/fishbucket

splunk clean eventdata -index _thefishbucket

splunk cmd btprobe -d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file --reset

splunk btool fishbucket reset

Discussion 0

Questions 39

Where should apps be located on the deployment server that the clients pull from?

Options:

$SFLUNK_KOME/etc/apps

$SPLUNK_HCME/etc/sear:ch

$SPLUNK_HCME/etc/master-apps

$SPLUNK HCME/etc/deployment-apps

Discussion 0

Questions 40

Which data pipeline phase is the last opportunity for defining event boundaries?

Options:

Input phase

Indexing phase

Parsing phase

Search phase

Discussion 0

Questions 41

Which of the following statements describe deployment management? (select all that apply)

Options:

Requires an Enterprise license

Is responsible for sending apps to forwarders.

Once used, is the only way to manage forwarders

Can automatically restart the host OS running the forwarder.

Discussion 0

Questions 42

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

Options:

Map Users

Map Groups

Map LDAP Inheritance

Map LDAP to Active Directory

Discussion 0

Questions 43

Which Splunk component would one use to perform line breaking prior to indexing?

Options:

Heavy Forwarder

Universal Forwarder

Search head

This can only be done at the indexing layer.

Discussion 0

Questions 44

What is the correct order of steps in Duo Multifactor Authentication?

Options:

1 Request Login

2. Connect to SAML server

3 Duo MFA

4 Create User session

5 Authentication Granted 6. Log into Splunk

1. Request Login 2 Duo MFA

3. Authentication Granted 4 Connect to SAML server

5. Log into Splunk

6. Create User session

1 Request Login

2 Check authentication / group mapping

3 Authentication Granted

4. Duo MFA

5. Create User session

6. Log into Splunk

1 Request Login 2 Duo MFA

3. Check authentication / group mapping

4 Create User session

5. Authentication Granted

6 Log into Splunk

Discussion 0

Questions 45

What options are available when creating custom roles? (select all that apply)

Options:

Restrict search terms

Whitelist search terms

Limit the number of concurrent search jobs

Allow or restrict indexes that can be searched.

Discussion 0

Questions 46

Which of the following are methods for adding inputs in Splunk? (select all that apply)

Options:

CLI

Splunk Web

Editing inputs. conf

Editing monitor. conf

Discussion 0

Questions 47

Which Splunk component(s) would break a stream of syslog inputs into individual events? (select all that apply)

Options:

Universal Forwarder

Search head

Heavy Forwarder

Indexer

Discussion 0

Answer:

C, D

Explanation:

The correct answer is C and D. A heavy forwarder and an indexer are the Splunk components that can break a stream of syslog inputs into individual events.

A universal forwarder is a lightweight agent that can forward data to a Splunk deployment, but it does not perform any parsing or indexing on the data. A search head is a Splunk component that handles search requests and distributes them to indexers, but it does not process incoming data.

A heavy forwarder is a Splunk component that can perform parsing, filtering, routing, and aggregation on the data before forwarding it to indexers or other destinations.A heavy forwarder can break a stream of syslog inputs into individual events based on the line breaker and should linemerge settings in the inputs.conf file1.

An indexer is a Splunk component that stores and indexes data, making it searchable.An indexer can also break a stream of syslog inputs into individual events based on the props.conf file settings, such as TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD, and line_breaker2.

A Splunk component is a software process that performs a specific function in a Splunk deployment, such as data collection, data processing, data storage, data search, or data visualization.
Syslog is a standard protocol for logging messages from network devices, such as routers, switches, firewalls, or servers. Syslog messages are typically sent over UDP or TCP to a central syslog server or a Splunk instance.
Breaking a stream of syslog inputs into individual events means separating the data into discrete records that can be indexed and searched by Splunk. Each event should have a timestamp, a host, a source, and a sourcetype, which are the default fields that Splunk assigns to the data.

References:

1: Configure inputs using Splunk Connect for Syslog - Splunk Documentation
2: inputs.conf - Splunk Documentation
3: How to configure props.conf for proper line breaking … - Splunk Community
4: Reliable syslog/tcp input – splunk bundle style | Splunk
5: Configure inputs using Splunk Connect for Syslog - Splunk Documentation
6: About configuration files - Splunk Documentation
[7]: Configure your OSSEC server to send data to the Splunk Add-on for OSSEC - Splunk Documentation
[8]: Splunk components - Splunk Documentation
[9]: Syslog - Wikipedia
[10]: About default fields - Splunk Documentation

Questions 48

The priority of layered Splunk configuration files depends on the file's:

Options:

Owner

Weight

Context

Creation time

Discussion 0

Questions 49

What action is required to enable forwarder management in Splunk Web?

Options:

Navigate to Settings > Server Settings > General Settings, and set an App server port.

Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

Create a server class and map it to a client inSPLUNK_HOME/etc/system/local/serverclass.conf.

Place an app in theSPLUNK_HOME/etc/deployment-appsdirectory of the deployment server.

Discussion 0

Questions 50

What event-processing pipelines are used to process data for indexing? (select all that apply)

Options:

Typing pipeline

Parsing pipeline

fifo pipeline

Indexing pipeline

Discussion 0

Questions 51

Which pathway represents where a network input in Splunk might be found?

Options:

$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

$SPLUNK HOME/ system/ local /udp.conf

$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Discussion 0

Labour Day Special 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: exams65

examsbrite logo

Navigation:

Splunk Enterprise Certified Admin Exam SPLK-1003 Exam Questions with Experts Answers Updated Recently

Splunk Enterprise Certified Admin Exam Question and Answers

SPLK-1003 PDF

SPLK-1003 Testing Engine

SPLK-1003 PDF + Testing Engine

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Answer:

Explanation:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Answer:

Explanation:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Answer:

Explanation:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Options:

Answer:

Explanation:

Options:

Options:

Options:

Options:

Answer:

Explanation:

Options:

Options:

Options:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Answer:

Explanation:

Options:

Options:

Options:

Answer:

Options:

Quick Links

Recently New Released Certification Exams

Site Secure