Weekend Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: cramtick70

SPLK-1003 Splunk Enterprise Certified Admin Questions and Answers

Questions 4

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Options:

A.

index=main

B.

index=test

C.

index=summary

D.

index=_internal

Buy Now
Questions 5

All search-time field extractions should be specified on which Splunk component?

Options:

A.

Deployment server

B.

Universal forwarder

C.

Indexer

D.

Search head

Buy Now
Questions 6

Which setting in indexes. conf allows data retention to be controlled by time?

Options:

A.

maxDaysToKeep

B.

moveToFrozenAfter

C.

maxDataRetentionTime

D.

frozenTimePeriodlnSecs

Buy Now
Questions 7

What will the following inputs. conf stanza do?

[script://myscript . sh]

Interval=0

Options:

A.

The script will run at the default interval of 60 seconds.

B.

The script will not be run.

C.

The script will be run only once for each time Splunk is restarted.

D.

The script will be run. As soon as the script exits, Splunk restarts it.

Buy Now
Questions 8

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

Options:

A.

/var/log/messages

B.

/var/log/maillog

C.

/var/log/maillog and /var/log/messages

D.

none of the above

Buy Now
Questions 9

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

Options:

A.

Deployer

B.

Cluster master

C.

Deployment server

D.

Search head cluster master

Buy Now
Questions 10

Which of the following applies only to Splunk index data integrity check?

Options:

A.

Lookup table

B.

Summary Index

C.

Raw data in the index

D.

Data model acceleration

Buy Now
Questions 11

Which of the following statements describes how distributed search works?

Options:

A.

Forwarders pull data from the search peers.

B.

Search heads store a portion of the searchable data.

C.

The search head dispatches searches to the search peers.

D.

Search results are replicated within the indexer cluster.

Buy Now
Questions 12

When using license pools, volume allocations apply to which Splunk components?

Options:

A.

Indexers

B.

Indexes

C.

Heavy Forwarders

D.

Search Heads

Buy Now
Questions 13

Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as

follows: 123-44-5678.

Which configuration file and stanza pair will mask possible SSNs in the log events?

Options:

A.

props.conf

[mask-SSN]

REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"

FORMAT = $1###-##-$2

KEY = _raw

B.

props.conf

[mask-SSN]

REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"

FORMAT = $1###-##-$2

DEST_KEY = _raw

C.

transforms.conf

[mask-SSN]

REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"

FORMAT = $1###-##-$2

DEST_KEY = _raw

D.

transforms.conf

[mask-SSN]

REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"

FORMAT = $1###-##-$2

DEST_KEY = _raw

Buy Now
Questions 14

When are knowledge bundles distributed to search peers?

Options:

A.

After a user logs in.

B.

When Splunk is restarted.

C.

When adding a new search peer.

D.

When a distributed search is initiated.

Buy Now
Questions 15

How is data handled by Splunk during the input phase of the data ingestion process?

Options:

A.

Data is treated as streams.

B.

Data is broken up into events.

C.

Data is initially written to disk.

D.

Data is measured by the license meter.

Buy Now
Questions 16

What happens when the same username exists in Splunk as well as through LDAP?

Options:

A.

Splunk user is automatically deleted from authentication.conf.

B.

LDAP settings take precedence.

C.

Splunk settings take precedence.

D.

LDAP user is automatically deleted from authentication.conf

Buy Now
Questions 17

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Options:

A.

props.conf

B.

sourcetypes.conf

C.

transforms.conf

D.

outputs.conf

Buy Now
Questions 18

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

Options:

A.

Buy a bigger Splunk license.

B.

Add 2.5 TB each day for the next 5 days.

C.

Add all 10 TB in a single 24 hour period.

D.

Add 200 GB of historical data each day for 50 days.

Buy Now
Questions 19

What action is required to enable forwarder management in Splunk Web?

Options:

A.

Navigate to Settings > Server Settings > General Settings, and set an App server port.

B.

Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

C.

Create a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

D.

Place an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Buy Now
Questions 20

Local user accounts created in Splunk store passwords in which file?

Options:

A.

$ SFLUNK_HOME/etc/passwd

B.

$ SFLUNK_HOME/etc/authentication

C.

$ S?LUNK_HOME/etc/users/passwd.conf

D.

$ SPLUNK HOME/etc/users/authentication.conf

Buy Now
Questions 21

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

Options:

A.

followTail = -45d

B.

ignore = 45d

C.

includeNewerThan = -35d

D.

ignoreOlderThan = 45d

Buy Now
Questions 22

How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON

A)

B)

C)

D)

Options:

A.

option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 23

What is the correct example to redact a plain-text password from raw events?

Options:

A.

in props.conf:

[identity]

REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

B.

in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

C.

in transforms.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

D.

in transforms.conf:

[identity]

REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Buy Now
Questions 24

Which of the following statements describe deployment management? (select all that apply)

Options:

A.

Requires an Enterprise license

B.

Is responsible for sending apps to forwarders.

C.

Once used, is the only way to manage forwarders

D.

Can automatically restart the host OS running the forwarder.

Buy Now
Questions 25

Which of the following statements apply to directory inputs? {select all that apply)

Options:

A.

All discovered text files are consumed.

B.

Compressed files are ignored by default

C.

Splunk recursively traverses through the directory structure.

D.

When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Buy Now
Questions 26

The LINE_BREAKER attribute is configured in which configuration file?

Options:

A.

props.conf

B.

indexes.conf

C.

inpucs.conf

D.

transforms.conf

Buy Now
Questions 27

Syslog files are being monitored on a Heavy Forwarder.

Where would the appropriate TRANSFORMS setting be deployed to reroute logs based on the event message?

Options:

A.

Heavy Forwarder

B.

Indexer

C.

Search head

D.

Deployment server

Buy Now
Questions 28

When enabling data integrity control, where does Splunk Enterprise store the hash files for each bucket?

Options:

A.

Splunk Enterprise stores hash files in the logdata directory of the corresponding bucket.

B.

Splunk Enterprise stores hash files in the rawdata directory of the corresponding bucket.

C.

Splunk Enterprise stores hash files in the hashdata directory of the corresponding bucket.

D.

Splunk Enterprise stores hash files in the metadata directory of the corresponding bucket.

Buy Now
Questions 29

An admin oversees an environment with a 1000 GBI day license. The configuration file

server.conf has strict pool quota=false set. The license is divided into the following three pools, and today's usage is shown on the right-hand column:

PoolLicense SizeToday's usage

X500 GB/day100 GB

Y350 GB/day400 GB

Z150 GB/day300 GB

Given this, which pool(s) are issued warnings?

Options:

A.

All pools

B.

Z only

C.

None

D.

Y and Z

Buy Now
Questions 30

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

Options:

A.

Duo Administrator

B.

LDAP Administrator

C.

SAML Administrator

D.

Trio Administrator

Buy Now
Questions 31

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

Options:

A.

channelTTL

B.

connectionTimeout

C.

autoLBFrequency

D.

secsInFailurelnterval

Buy Now
Questions 32

What event-processing pipelines are used to process data for indexing? (select all that apply)

Options:

A.

fifo pipeline

B.

Indexing pipeline

C.

Parsing pipeline

D.

Typing pipeline

Buy Now
Questions 33

Which Splunk forwarder has a built-in license?

Options:

A.

Light forwarder

B.

Heavy forwarder

C.

Universal forwarder

D.

Cloud forwarder

Buy Now
Questions 34

What is a role in Splunk? (select all that apply)

Options:

A.

A classification that determines what capabilities a user has.

B.

A classification that determines if a Splunk server can remotely control another Splunk server.

C.

A classification that determines what functions a Splunk server controls.

D.

A classification that determines what indexes a user can search.

Buy Now
Questions 35

Which of the following apply to how distributed search works? (select all that apply)

Options:

A.

The search head dispatches searches to the peers

B.

The search peers pull the data from the forwarders.

C.

Peers run searches in parallel and return their portion of results.

D.

The search head consolidates the individual results and prepares reports

Buy Now
Questions 36

What is the correct curl to send multiple events through HTTP Event Collector?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 37

The priority of layered Splunk configuration files depends on the file's:

Options:

A.

Owner

B.

Weight

C.

Context

D.

Creation time

Buy Now
Questions 38

A Splunk administrator has been tasked with developing a retention strategy to have frequently accessed data sets on SSD storage and to have older, less frequently accessed data on slower NAS storage. They have set a mount point for the NAS. Which parameter do they need to modify to set the path for the older, less frequently accessed data in indexes.conf?

Options:

A.

homepath

B.

thawedPath

C.

summaryHomePath

D.

colddeath

Buy Now
Questions 39

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

Options:

A.

_TCP_ROUTING

B.

_INDEXER_LIST

C.

_INDEXER_GROUP

D.

_INDEXER ROUTING

Buy Now
Questions 40

What type of Splunk license is pre-selected in a brand new Splunk installation?

Options:

A.

Free license

B.

Forwarder license

C.

Enterprise trial license

D.

Enterprise license

Buy Now
Questions 41

Which of the following are methods for adding inputs in Splunk? (select all that apply)

Options:

A.

CLI

B.

Splunk Web

C.

Editing inputs. conf

D.

Editing monitor. conf

Buy Now
Questions 42

What is an example of a proper configuration for CHARSET within props.conf?

Options:

A.

[host: : server. splunk. com]

CHARSET = BIG5

B.

[index: :main]

CHARSET = BIG5

C.

[sourcetype: : son]

CHARSET = BIG5

D.

[source: : /var/log/ splunk]

CHARSET = BIG5

Buy Now
Questions 43

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

Event:

[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

Options:

A.

SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g

B.

SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g

C.

SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g

D.

SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

Buy Now
Questions 44

Which of the following is a valid distributed search group?

Options:

A.

[distributedSearch:Paris] default = false servers = server1, server2

B.

[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C.

[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D.

[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Buy Now
Questions 45

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

Options:

A.

REGEX, DEST. FORMAT

B.

REGEX. SRC_KEY, FORMAT

C.

REGEX, DEST_KEY, FORMAT

D.

REGEX, DEST_KEY FORMATTING

Buy Now
Questions 46

An admin updates the Role to Group mapping for external authentication. How does the change affect users that are currently logged into Splunk?

Options:

A.

Users will continue to operate under their previous role until the next time they log into Splunk.

B.

Search is disabled until users reauthenticate.

C.

Only newly created user accounts are affected by the role change.

D.

The role update terminates the user’s current session, and they have to log back in.

Buy Now
Questions 47

The following stanza is active in indexes.conf:

[cat_facts]

maxHotSpanSecs = 3600

frozenTimePeriodInSecs = 2630000

maxTota1DataSizeMB = 650000

All other related indexes.conf settings are default values.

If the event timestamp was 3739283 seconds ago, will it be searchable?

Options:

A.

Yes, only if the bucket is still hot.

B.

No, because the index will have exceeded its maximum size.

C.

Yes, only if the index size is also below 650000 MB.

D.

No, because the event time is greater than the retention time.

Buy Now
Questions 48

To set up a Network input in Splunk, what needs to be specified'?

Options:

A.

File path.

B.

Username and password

C.

Network protocol and port number.

D.

Network protocol and MAC address.

Buy Now
Questions 49

How do you remove missing forwarders from the Monitoring Console?

Options:

A.

By restarting Splunk.

B.

By rescanning active forwarders.

C.

By reloading the deployment server.

D.

By rebuilding the forwarder asset table.

Buy Now
Questions 50

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

Options:

A.

Indexer

B.

Forwarder

C.

Search head

D.

Deployment server

Buy Now
Questions 51

Which parent directory contains the configuration files in Splunk?

Options:

A.

SSFLUNK_HOME/etc

B.

SSPLUNK_HOME/var

C.

SSPLUNK_HOME/conf

D.

SSPLUNK_HOME/default

Buy Now
Questions 52

What is the default character encoding used by Splunk during the input phase?

Options:

A.

UTF-8

B.

UTF-16

C.

EBCDIC

D.

ISO 8859

Buy Now
Questions 53

What is the valid option for a [monitor] stanza in inputs.conf?

Options:

A.

enabled

B.

datasource

C.

server_name

D.

ignoreOlderThan

Buy Now
Questions 54

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

Options:

A.

Use Local Windows host monitoring.

B.

Use Windows Remote Inputs with WMI.

C.

Use Local Windows network monitoring.

D.

Use an index with an Index Data Type of Metrics.

Buy Now
Questions 55

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

Options:

A.

Default app

B.

LDAP group

C.

Password

D.

Username

Buy Now
Questions 56

A security team needs to ingest a static file for a specific incident. The log file has not been collected previously and future updates to the file must not be indexed.

Which command would meet these needs?

Options:

A.

splunk add one shot / opt/ incident [data .log —index incident

B.

splunk edit monitor /opt/incident/data.* —index incident

C.

splunk add monitor /opt/incident/data.log —index incident

D.

splunk edit oneshot [opt/ incident/data.* —index incident

Buy Now
Questions 57

Search heads in a company's European offices need to be able to search data in their New York offices. They also need to restrict access to certain indexers. What should be configured to allow this type of action?

Options:

A.

Indexer clustering

B.

LDAP control

C.

Distributed search

D.

Search head clustering

Buy Now
Questions 58

When should the Data Preview feature be used?

Options:

A.

When extracting fields for ingested data.

B.

When previewing the data before searching.

C.

When reviewing data on the source host.

D.

When validating the parsing of data.

Buy Now
Questions 59

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

Options:

A.

Map Users

B.

Map Groups

C.

Map LDAP Inheritance

D.

Map LDAP to Active Directory

Buy Now
Questions 60

What action is required to enable forwarder management in Splunk Web?

Options:

A.

Navigate to Settings > Server Settings > General Settings, and set an App server port.

B.

Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

C.

Create a server class and map it to a client inSPLUNK_HOME/etc/system/local/serverclass.conf.

D.

Place an app in theSPLUNK_HOME/etc/deployment-appsdirectory of the deployment server.

Buy Now
Questions 61

A Universal Forwarder is monitoring a very active syslog stream and as a result is unable to switch between destinations. How would an admin safely remediate this issue?

Options:

A.

Configure and enable the LINE_BREAKER on the forwarder.

B.

Configure useAck on the forwarder.

C.

Configure forceTimebasedAutoLB on the forwarder.

D.

Configure and enable the FVFNT BREAKER on the forwarder.

Buy Now
Questions 62

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

Options:

A.

Indexers, search head, universal forwarders, license master

B.

Indexers, search head, deployment server, universal forwarders

C.

Indexers, search head, deployment server, license master, universal forwarder

D.

Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Buy Now
Questions 63

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

Options:

A.

Any OS platform

B.

Linux platform only

C.

Windows platform only.

D.

None of the above.

Buy Now
Questions 64

In this example, ifuseACKis set to true and themaxQueueSizeis set to 7MB, what is the size of the wait queue on this universal forwarder?

Options:

A.

21MB

B.

28MB

C.

14MB

D.

7MB

Buy Now
Questions 65

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

Options:

A.

Default app

B.

LDAP group

C.

Password

D.

Username

Buy Now
Questions 66

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

Options:

A.

$SFLUNK_HOME/bin/scripts

B.

$SPLUNK_HOME/etc/apps/bin

C.

$SPLUNK_HOME/etc/system/bin

D.

$S?LUNK_HOME/etc/apps//bin_

Buy Now
Questions 67

When are knowledge bundles distributed to search peers?

Options:

A.

After a user logs in.

B.

When Splunk is restarted.

C.

When adding a new search peer.

D.

When a distributed search is initiated.

Buy Now
Questions 68

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations

found in props.conf to be validated all through the UI?

Options:

A.

Apps

B.

Search

C.

Data preview

D.

Forwarder inputs

Buy Now
Questions 69

Which of the following CLI commands removes a search peer from Distributed Search?

Options:

A.

splunk remove search-server -auth admin:password 123.45.67.89:8089

B.

splunk clear search-server -auth admin:password 123.45.67.89:8089

C.

splunk clear search-peer -auth admin:password 123.45.67.89:8089

D.

splunk remove search-peer -auth admin:password 123.45.67.89:8089

Buy Now
Questions 70

Which of the following is true when authenticating users to Splunk using LDAP?

Options:

A.

LDAP group names must match the Splunk role name defined in authorize.conf.

B.

Splunk will search each LDAP strategy in the order in which they are listed in authentication.conf.

C.

Splunk only supports encrypted LDAP connections.

D.

LDAP will take precedence over local users with the same username as defined in etc/passwd.

Buy Now
Questions 71

Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

Options:

A.

It requires a separate channel provided by the client.

B.

It is configured the same as indexer acknowledgement used to protect in-flight data.

C.

It can be enabled at the global setting level.

D.

It stores status information on the Splunk server.

Buy Now
Questions 72

Which of the methods listed below supports muti-factor authentication?

Options:

A.

Lightweight Directory Access Protocol (LDAP)

B.

Security Assertion Markup Language (SAML)

C.

Single Sign-on (SSO)

D.

OpenlD

Buy Now
Questions 73

Immediately after installation, what will a Universal Forwarder do first?

Options:

A.

Automatically detect any indexers in its subnet and begin routing data.

B.

Begin generating internal Splunk logs.

C.

Begin reading local files on its server.

D.

Send an email to the operator that the installation process has completed.

Buy Now
Questions 74

What is the default value ofLINE_BREAKER?

Options:

A.

\r\n

B.

([\r\n]+)

C.

\r+\n+

D.

(\r\n+)

Buy Now
Questions 75

Which feature of Splunk’s role configuration can be used to aggregate multiple roles intended for groups of

users?

Options:

A.

Linked roles

B.

Grantable roles

C.

Role federation

D.

Role inheritance

Buy Now
Questions 76

Which of the following is an acceptable channel value when using the HTTP Event Collector indexer acknowledgment capability?

Options:

A.

GUID

B.

DNS

C.

Hash Checksum

D.

IP Address

Buy Now
Questions 77

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

Options:

A.

bucketdb

B.

frozendb

C.

colddb

D.

db

Buy Now
Questions 78

What is the default character encoding used by Splunk during the input phase?

Options:

A.

UTF-8

B.

UTF-16

C.

EBCDIC

D.

ISO 8859

Buy Now
Questions 79

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

Options:

A.

Indexer

B.

Forwarder

C.

Search head

D.

Deployment server

Buy Now
Questions 80

When indexing a data source, which fields are considered metadata?

Options:

A.

source, host, time

B.

time, sourcetype, source

C.

host, raw, sourcetype

D.

sourcetype, source, host

Buy Now
Questions 81

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

Options:

A.

Index once.

B.

Monitor interval.

C.

On-demand monitor.

D.

Continuously monitor.

Buy Now
Questions 82

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

Options:

A.

Disk

B.

CPUs

C.

Memory

D.

Network interface cards

Buy Now
Questions 83

The CLI command splunk add forward-server indexer: will create stanza(s) in

which configuration file?

Options:

A.

inputs.conf

B.

indexes.conf

C.

outputs.conf

D.

servers.conf

Buy Now
Questions 84

Which of the following is accurate regarding the input phase?

Options:

A.

Breaks data into events with timestamps.

B.

Applies event-level transformations.

C.

Fine-tunes metadata.

D.

Performs character encoding.

Buy Now
Questions 85

Which additional component is required for a search head cluster?

Options:

A.

Deployer

B.

Cluster Master

C.

Monitoring Console

D.

Management Console

Buy Now
Questions 86

Event processing occurs at which phase of the data pipeline?

Options:

A.

Search

B.

Indexing

C.

Parsing

D.

Input

Buy Now
Questions 87

Consider the following stanza ininputs.conf:

What will the value of the source filed be for events generated by this scripts input?

Options:

A.

/opt/splunk/ecc/apps/search/bin/liscer.sh

B.

unknown

C.

liscer

D.

liscer.sh

Buy Now
Questions 88

Which of the following are reasons to create separate indexes? (Choose all that apply.)

Options:

A.

Different retention times.

B.

Increase number of users.

C.

Restrict user permissions.

D.

File organization.

Buy Now
Questions 89

How is data handled by Splunk during the input phase of the data ingestion process?

Options:

A.

Data is treated as streams.

B.

Data is broken up into events.

C.

Data is initially written to disk.

D.

Data is measured by the license meter.

Buy Now
Questions 90

Which of the following are methods for adding inputs in Splunk? (select all that apply)

Options:

A.

CLI

B.

Splunk Web

C.

Editing inputs. conf

D.

Editing monitor. conf

Buy Now
Questions 91

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

Options:

A.

followTail = -45d

B.

ignore = 45d

C.

includeNewerThan = -35d

D.

ignoreOlderThan = 45d

Buy Now
Questions 92

In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?

Options:

A.

services/collector

B.

data/collector

C.

services/inputs?raw

D.

services/data/collector

Buy Now
Questions 93

What is the name of the object that stores events inside of an index?

Options:

A.

Container

B.

Bucket

C.

Data layer

D.

Indexer

Buy Now
Questions 94

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

Options:

A.

True

B.

False

C.

D.

Newline Character

Buy Now
Questions 95

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

Options:

A.

License data

B.

Metricsdata

C.

Internal Splunk data

D.

Internal Windows logs

Buy Now
Questions 96

Which Splunk component would one use to perform line breaking prior to indexing?

Options:

A.

Heavy Forwarder

B.

Universal Forwarder

C.

Search head

D.

This can only be done at the indexing layer.

Buy Now
Questions 97

A user is assigned two roles with the following search filters. What is the user's applied search filter?

Options:

A.

B.

B.

C.

C.

D.

D.

Buy Now
Questions 98

What is the correct order of steps in Duo Multifactor Authentication?

Options:

A.

1 Request Login2. Connect to SAML server3 Duo MFA4 Create User session5 Authentication Granted 6. Log into Splunk

B.

1. Request Login 2 Duo MFA3. Authentication Granted 4 Connect to SAML server5. Log into Splunk6. Create User session

C.

1 Request Login2 Check authentication / group mapping3 Authentication Granted4. Duo MFA5. Create User session6. Log into Splunk

D.

1 Request Login 2 Duo MFA3. Check authentication / group mapping4 Create User session5. Authentication Granted6 Log into Splunk

Buy Now
Questions 99

What is the correct order of index time precedence?

(For each of the following, highest precedence is shown at the top and lowest precedence is shown at the bottom)

Options:

A.

B.

B.

C.

C.

D.

D.

Buy Now
Questions 100

Which Splunk configuration file is used to enable data integrity checking?

Options:

A.

props.conf

B.

global.conf

C.

indexes.conf

D.

data_integrity.conf

Buy Now
Questions 101

Running this search in a distributed environment:

On what Splunk component does the eval command get executed?

Options:

A.

Heavy Forwarders

B.

Universal Forwarders

C.

Search peers

D.

Search heads

Buy Now
Questions 102

During search time, which directory of configuration files has the highest precedence?

Options:

A.

$SFLUNK_KOME/etc/system/local

B.

$SPLUNK_KCME/etc/system/default

C.

$SPLUNK_HCME/etc/apps/app1/local

D.

$SPLUNK HCME/etc/users/admin/local

Buy Now
Questions 103

Which of the following applies only to Splunk index data integrity check?

Options:

A.

Lookup table

B.

Summary Index

C.

Raw data in the index

D.

Data model acceleration

Buy Now
Questions 104

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Options:

A.

index=main

B.

index=test

C.

index=summary

D.

index=_internal

Buy Now
Questions 105

Local user accounts created in Splunk store passwords in which file?

Options:

A.

$ SFLUNK_HOME/etc/passwd

B.

$ SFLUNK_HOME/etc/authentication

C.

$ S?LUNK_HOME/etc/users/passwd.conf

D.

$ SPLUNK HOME/etc/users/authentication.conf

Buy Now
Questions 106

Which of the following is a valid method to create a Splunk user?

Options:

A.

Create a support ticket.

B.

Create a user on the host operating system.

C.

Splunk REST API.

D.

Add the username to users. conf.

Buy Now
Questions 107

Consider a company with a Splunk distributed environment in production. The Compliance Department wants to start using Splunk; however, they want to ensure that no one can see their reports or any other knowledge objects. Which Splunk Component can be added to implement this policy for the new team?

Options:

A.

Indexer

B.

Deployment server

C.

Universal forwarder

D.

Search head

Buy Now
Questions 108

What will the following inputs. conf stanza do?

[script://myscript . sh]

Interval=0

Options:

A.

The script will run at the default interval of 60 seconds.

B.

The script will not be run.

C.

The script will be run only once for each time Splunk is restarted.

D.

The script will be run. As soon as the script exits, Splunk restarts it.

Buy Now
Questions 109

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list —debug. What will the output be?

Options:

A.

list of all the configurations on-disk that Splunk contains.

B.

A verbose list of all configurations as they were when splunkd started.

C.

A list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

D.

A list of the current running props, conf configurations along with a file path from which the configuration was made

Buy Now
Questions 110

Which of the following lists the three phases of the Splunk Indexing process in order?

Options:

A.

Ingest phaseLicensing phaseParsing phase

B.

Sourcetype phaseIndex phaseWrite-to-disk phase

C.

Input phaseParsing phaseIndexing phase

D.

Ingest phaseTransforming phaseIndexing phase

Buy Now
Questions 111

Which parent directory contains the configuration files in Splunk?

Options:

A.

SSFLUNK_HOME/etc

B.

SSPLUNK_HOME/var

C.

SSPLUNK_HOME/conf

D.

SSPLUNK_HOME/default

Buy Now
Questions 112

Which of the following statements describes how distributed search works?

Options:

A.

Forwarders pull data from the search peers.

B.

Search heads store a portion of the searchable data.

C.

The search head dispatches searches to the search peers.

D.

Search results are replicated within the indexer cluster.

Buy Now
Exam Code: SPLK-1003
Exam Name: Splunk Enterprise Certified Admin
Last Update: Jul 5, 2025
Questions: 196
SPLK-1003 pdf

SPLK-1003 PDF

$25.5  $84.99
SPLK-1003 Engine

SPLK-1003 Testing Engine

$30  $99.99
SPLK-1003 PDF + Engine

SPLK-1003 PDF + Testing Engine

$40.5  $134.99