Summer Sale - Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: dpt65

SPLK-1003 Questions and Answers

Question # 6

Which Splunk component would one use to perform line breaking prior to indexing?

A.

Heavy Forwarder

B.

Universal Forwarder

C.

Search head

D.

This can only be done at the indexing layer.

Full Access
Question # 7

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list —debug. What will the output be?

A.

list of all the configurations on-disk that Splunk contains.

B.

A verbose list of all configurations as they were when splunkd started.

C.

A list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

D.

A list of the current running props, conf configurations along with a file path from which the configuration was made

Full Access
Question # 8

Which layers are involved in Splunk configuration file layering? (select all that apply)

A.

App context

B.

User context

C.

Global context

D.

Forwarder context

Full Access
Question # 9

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A.

$SFLUNK_HOME/bin/scripts

B.

$SPLUNK_HOME/etc/apps/bin

C.

$SPLUNK_HOME/etc/system/bin

D.

$S?LUNK_HOME/etc/apps//bin_

Full Access
Question # 10

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

A.

diskQueueSize

B.

durableQueueSize

C persistentOueueSize

C.

queueSize

Full Access
Question # 11

In which Splunk configuration is the SEDCMD used?

A.

props, conf

B.

inputs.conf

C.

indexes.conf

D.

transforms.conf

Full Access
Question # 12

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

A.

Use Local Windows host monitoring.

B.

Use Windows Remote Inputs with WMI.

C.

Use Local Windows network monitoring.

D.

Use an index with an Index Data Type of Metrics.

Full Access
Question # 13

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

A.

Default app

B.

LDAP group

C.

Password

D.

Username

Full Access
Question # 14

An add-on has configured field aliases for source IP address and destination IP address fields. A specific user prefers not to have those fields present in their user context. Based on the default props.conf below, which SPLUNK_HOME/etc/users/buttercup/myTA/local/props.conf stanza can be added to the user’s local context to disable the field aliases?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 15

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

A.

If Splunk is restarted, data will be queued and then sent when Splunk has restarted.

B.

Local firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

C.

The host value associated with data received will be the IP address that sent the data.

D.

If Splunk is restarted, data may be lost.

Full Access
Question # 16

When using license pools, volume allocations apply to which Splunk components?

A.

Indexers

B.

Indexes

C.

Heavy Forwarders

D.

Search Heads

Full Access
Question # 17

What is a role in Splunk? (select all that apply)

A.

A classification that determines what capabilities a user has.

B.

A classification that determines if a Splunk server can remotely control another Splunk server.

C.

A classification that determines what functions a Splunk server controls.

D.

A classification that determines what indexes a user can search.

Full Access
Question # 18

What action is required to enable forwarder management in Splunk Web?

A.

Navigate to Settings > Server Settings > General Settings, and set an App server port.

B.

Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

C.

Create a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

D.

Place an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Full Access
Question # 19

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

A.

Indexer

B.

Forwarder

C.

Search head

D.

Deployment server

Full Access
Question # 20

What conf file needs to be edited to set up distributed search groups?

A.

props.conf

B.

search.conf

C.

distsearch.conf

D.

distibutedsearch.conf

Full Access
Question # 21

Which Splunk component does a search head primarily communicate with?

A.

Indexer

B.

Forwarder

C.

Cluster master

D.

Deployment server

Full Access
Question # 22

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

A.

Disk

B.

CPUs

C.

Memory

D.

Network interface cards

Full Access
Question # 23

Which of the following apply to how distributed search works? (select all that apply)

A.

The search head dispatches searches to the peers

B.

The search peers pull the data from the forwarders.

C.

Peers run searches in parallel and return their portion of results.

D.

The search head consolidates the individual results and prepares reports

Full Access
Question # 24

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

A.

LDAP

B.

SAML

C.

RADIUS

D.

Duo Multifactor Authentication

Full Access
Question # 25

Which is a valid stanza for a network input?

A.

[udp://172.16.10.1:9997]

connection = dns

sourcetype = dns

B.

[any://172.16.10.1:10001]

connection_host = ip

sourcetype = web

C.

[tcp://172.16.10.1:9997]

connection_host = web

sourcetype = web

D.

[tcp://172.16.10.1:10001]

connection_host = dns

sourcetype = dns

Full Access
Question # 26

Which artifact is required in the request header when creating an HTTP event?

A.

ackID

B.

Token

C.

Manifest

D.

Host name

Full Access
Question # 27

How does the Monitoring Console monitor forwarders?

A.

By pulling internal logs from forwarders.

B.

By using the forwarder monitoring add-on

C.

With internal logs forwarded by forwarders.

D.

With internal logs forwarded by deployment server.

Full Access
Question # 28

Which of the following is a benefit of distributed search?

A.

Peers run search in sequence.

B.

Peers run search in parallel.

C.

Resilience from indexer failure.

D.

Resilience from search head failure.

Full Access
Question # 29

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

A.

Any OS platform

B.

Linux platform only

C.

Windows platform only.

D.

None of the above.

Full Access
Question # 30

Which of the following is valid distribute search group?

A)

B)

C)

D)

A.

option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 31

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

A.

On Universal Forwarder, $SPLUNK_HOME/etc/apps

B.

On Deployment Server, $SPLUNK_HOME/etc/apps

C.

On Deployment Server, $SPLUNK_HOME/etc/deployment-apps

D.

On Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Full Access
Question # 32

During search time, which directory of configuration files has the highest precedence?

A.

$SFLUNK_KOME/etc/system/local

B.

$SPLUNK_KCME/etc/system/default

C.

$SPLUNK_HCME/etc/apps/app1/local

D.

$SPLUNK HCME/etc/users/admin/local

Full Access
Question # 33

Which of the following is the use case for the deployment server feature of Splunk?

A.

Managing distributed workloads in a Splunk environment.

B.

Automating upgrades of Splunk forwarder installations on endpoints.

C.

Orchestrating the operations and scale of a containerized Splunk deployment.

D.

Updating configuration and distributing apps to processing components, primarily forwarders.

Full Access
Question # 34

Syslog files are being monitored on a Heavy Forwarder.

Where would the appropriate TRANSFORMS setting be deployed to reroute logs based on the event message?

A.

Heavy Forwarder

B.

Indexer

C.

Search head

D.

Deployment server

Full Access
Question # 35

What is the correct curl to send multiple events through HTTP Event Collector?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 36

What is the name of the object that stores events inside of an index?

A.

Container

B.

Bucket

C.

Data layer

D.

Indexer

Full Access
Question # 37

Which scenario is applicable given the stanzas in authentication.conf below?

[authentication]

externalTwoFactorAuthVendor = Duo

externalTwoFactorAuthSettings = duoMFA

[duoMFA]

integrationKey = aGFwcHliaXJ0aGRheU1pZGR5

secretKey = YXVzdHJhaWxpYW5Gb3JHcmVw

applicationKey = c3BsaW5raW5ndGhlcGx1bWJ1c3NpbmN1OTU

apiHostname = 466993018.duosecurity.com

failOpen = True

timeout = 60

A.

If Splunk cannot connect to the multifactor authentication provider, all logins will be denied.

B.

Multifactor authentication is required to log into the host operating system.

C.

The secretKey does not need to be protected since multifactor authentication is turned on.

D.

If Splunk cannot connect to the multifactor authentication provider, authentications will be successful without completing a multifactor challenge.

Full Access
Question # 38

An admin oversees an environment with a 1000 GBI day license. The configuration file

server.conf has strict pool quota=false set. The license is divided into the following three pools, and today's usage is shown on the right-hand column:

PoolLicense SizeToday's usage

X500 GB/day100 GB

Y350 GB/day400 GB

Z150 GB/day300 GB

Given this, which pool(s) are issued warnings?

A.

All pools

B.

Z only

C.

None

D.

Y and Z

Full Access
Question # 39

Which of the following applies only to Splunk index data integrity check?

A.

Lookup table

B.

Summary Index

C.

Raw data in the index

D.

Data model acceleration

Full Access
Question # 40

What is the default character encoding used by Splunk during the input phase?

A.

UTF-8

B.

UTF-16

C.

EBCDIC

D.

ISO 8859

Full Access
Question # 41

Windows can prevent a Splunk forwarder from reading open files. If files need to be read while they are being written to, what type of input stanza needs to be created?

A.

Tail Reader

B.

Upload

C.

MonitorNoHandIe

D.

Monitor

Full Access
Question # 42

Which feature of Splunk’s role configuration can be used to aggregate multiple roles intended for groups of

users?

A.

Linked roles

B.

Grantable roles

C.

Role federation

D.

Role inheritance

Full Access
Question # 43

What type of Splunk license is pre-selected in a brand new Splunk installation?

A.

Free license

B.

Forwarder license

C.

Enterprise trial license

D.

Enterprise license

Full Access
Question # 44

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A.

_TCP_ROUTING

B.

_INDEXER_LIST

C.

_INDEXER_GROUP

D.

_INDEXER ROUTING

Full Access
Question # 45

Which of the following is a valid method to create a Splunk user?

A.

Create a support ticket.

B.

Create a user on the host operating system.

C.

Splunk REST API.

D.

Add the username to users. conf.

Full Access
Question # 46

Local user accounts created in Splunk store passwords in which file?

A.

$ SFLUNK_HOME/etc/passwd

B.

$ SFLUNK_HOME/etc/authentication

C.

$ S?LUNK_HOME/etc/users/passwd.conf

D.

$ SPLUNK HOME/etc/users/authentication.conf

Full Access
Question # 47

How often does Splunk recheck the LDAP server?

A.

Every 5 minutes

B.

Each time a user logs in

C.

Each time Splunk is restarted

D.

Varies based on LDAP_refresh setting.

Full Access
Question # 48

Within props. conf, which stanzas are valid for data modification? (select all that apply)

A.

Host

B.

Server

C.

Source

D.

Sourcetype

Full Access
Question # 49

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

A.

props.conf

B.

inputs.conf

C.

outputs.conf

D.

collections.conf

Full Access
Question # 50

What happens when there are conflicting settings within two or more configuration files?

A.

The setting is ignored until conflict is resolved.

B.

The setting for both values will be used together.

C.

The setting with the lowest precedence is used.

D.

The setting with the highest precedence is used.

Full Access
Question # 51

The LINE_BREAKER attribute is configured in which configuration file?

A.

props.conf

B.

indexes.conf

C.

inpucs.conf

D.

transforms.conf

Full Access
Question # 52

A Splunk administrator has been tasked with developing a retention strategy to have frequently accessed data sets on SSD storage and to have older, less frequently accessed data on slower NAS storage. They have set a mount point for the NAS. Which parameter do they need to modify to set the path for the older, less frequently accessed data in indexes.conf?

A.

homepath

B.

thawedPath

C.

summaryHomePath

D.

colddeath

Full Access
Question # 53

How do you remove missing forwarders from the Monitoring Console?

A.

By restarting Splunk.

B.

By rescanning active forwarders.

C.

By reloading the deployment server.

D.

By rebuilding the forwarder asset table.

Full Access
Question # 54

The following stanza is active in indexes.conf:

[cat_facts]

maxHotSpanSecs = 3600

frozenTimePeriodInSecs = 2630000

maxTota1DataSizeMB = 650000

All other related indexes.conf settings are default values.

If the event timestamp was 3739283 seconds ago, will it be searchable?

A.

Yes, only if the bucket is still hot.

B.

No, because the index will have exceeded its maximum size.

C.

Yes, only if the index size is also below 650000 MB.

D.

No, because the event time is greater than the retention time.

Full Access
Question # 55

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

A.

Blacklist

B.

Whitelist

C.

They cancel each other out.

D.

Whichever is entered into the configuration first.

Full Access