Latest Splunk Enterprise Certified Admin SPLK-1003 Preparation

NEW QUESTION 1
What is required when adding a native user to Splunk? (Select all that apply.)

• A. Password
• B. Username
• C. Full Name
• D. Default app

Answer: CD

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Addandeditusers

NEW QUESTION 2
In which Splunk configuration is the SEDCMD used?

• A. props.conf
• B. inputs.conf
• C. indexes.conf
• D. transforms.conf

Answer: A

Explanation:
Reference: https://answers.splunk.com/answers/212128/why-sedcmd-configured-in-propsconf-is-working-duri.html

NEW QUESTION 3
In this sourcetype definition the MAX_TIMESTAMP_LOOKAHEAD is missing. Which value would fit best?
[sshd_syslog] TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z
LINE_BREAKER = ([rn]+)d{4}-d{2}-d{2} d{2}:d{2}:d{2} SHOUD_LINEMERGE = false
TRUNCATE = 0
Event example: 2021-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366

• A. MAX_TIMESTAMP_LOOKAHEAD = 5
• B. MAX_TIMESTAMP_LOOKAHEAD = 10
• C. MAX_TIMESTAMP_LOOKAHEAD = 20
• D. MAX_TIMESTAMP_LOOKAHEAD = 30

Answer: B

NEW QUESTION 4
Which of the following authentication types requires scripting in Splunk?

• A. ADFS
• B. LDAP
• C. SAML
• D. RADIUS

Answer: D

Explanation:
Reference: https://answers.splunk.com/answers/131127/scripted-authentication.html

NEW QUESTION 5
Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

• A. Universal forwarder
• B. Parsing forwarder
• C. Heavy forwarder
• D. Advanced forwarder

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/Forwarding/Typesofforwarders

NEW QUESTION 6
Where can scripts for scripted inputs reside on the host file system? (Select all that apply.)

• A. $SPLUNK_HOME/bin/scripts
• B. $SPLUNK_HOME/etc/apps/bin
• C. $SPLUNK_HOME/etc/system/bin
• D. $SPLUNK_HOME/etc/apps/<your_app>/bin

Answer: ACD

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Getdatafromscriptedinputs#Where_to_place_the_scripts_for_scripted_inputs

NEW QUESTION 7
How do you remove missing forwarders from the Monitoring Console?

• A. By restarting Splunk.
• B. By rescanning active forwarders.
• C. By reloading the deployment server.
• D. By rebuilding the forwarder asset table.

Answer: D

Explanation:
Reference: https://answers.splunk.com/answers/447096/how-to-remove-missing-forwarders-from-the-distribu.html

NEW QUESTION 8
You update a props.conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btool props list –-debug. What will the output be?

• A. A list of all the configurations on-disk that Splunk contains.
• B. A verbose list of all configurations as they were when splunkd started.
• C. A list of props.conf configurations as they are on-disk along with a file path from which the configuration is located.
• D. A list of the current running props.conf configurations along with a file path from which the configuration was made.

Answer: D

Explanation:
Reference: https://answers.splunk.com/answers/494219/need-help-with-what-should-be-a-simple-precedence.html

NEW QUESTION 9
What is the difference between the two wildcards ... and * for the monitor stanza in inputs.conf?

• A. ... is not supported in monitor stanzas.
• B. There is no difference, they are interchangeable and match anything beyond directory boundaries.
• C. * matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.
• D. ... matches anything in that specific directory path segment, whereas * recurses through subdirectories as well.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

NEW QUESTION 10
Which of the following statements apply to directory inputs? (Select all that apply.)

• A. All discovered text files are consumed.
• B. Compressed files are ignored by default.
• C. Splunk recursively traverses through the directory structure.
• D. When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer: C

Explanation:
Reference: https://answers.splunk.com/answers/133875/recursive-monitoring-of -directories.html

NEW QUESTION 11
Which valid bucket types are searchable? (Select all that apply.)

• A. Hot buckets
• B. Cold buckets
• C. Warm buckets
• D. Frozen buckets

Answer: ABC

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/HowSplunkstoresindexes

NEW QUESTION 12
Which of the following are supported configuration methods to add inputs on a forwarder? (Select all that apply.)

• A. CLI
• B. Edit inputs.conf
• C. Edit forwarder.conf
• D. Forwarder Management

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/Configuretheuniversalforwarder

NEW QUESTION 13
Which of the following are methods for adding inputs in Splunk? (Select all that apply.)

• A. CLI
• B. Splunk Web
• C. Editing inpits.conf
• D. Editing monitor.conf

Answer: AB

Explanation:
Reference: http://dev.splunk.com/view/dev -guide/SP-CAAAE3A

NEW QUESTION 14
During search time, which directory of configuration files has the highest precedence?

• A. $SPLUNK_HOME/etc/system/local
• B. $SPLUNK_HOME/etc/system/default
• C. $SPLUNK_HOME/etc/apps/app1/local
• D. $SPLUNK_HOME/etc/users/admin/local

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

NEW QUESTION 15
What options are available when creating custom roles? (Select all that apply.)

• A. Restrict search terms.
• B. Whitelist search terms.
• C. Limit the number of concurrent search jobs.
• D. Allow or restrict indexes that can be searched.

Answer: AD

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/Aboutusersandroles

NEW QUESTION 16
For single line event sourcetypes, it is most efficient to set SHOULD_LINEMERGE
to what value?

• A. True
• B. False
• C. <regex string>
• D. Newline Character

Answer: B

Explanation:
Reference: https://answers.splunk.com/answers/704533/what-are-the-best-practices-for-defining-source-ty.html

NEW QUESTION 17
Which Splunk component consolidates the individual results and prepares reports in a distributed environment?

• A. Indexers
• B. Forwarder
• C. Search head
• D. Search peers

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Advancedindexingstrategy

NEW QUESTION 18
Within props.conf, which stanzas are valid for data modification? (Select all that apply.)

• A. Host
• B. Server
• C. Source
• D. Sourcetype

Answer: CD

Explanation:
Reference: https://answers.splunk.com/answers/3687/host-stanza-in-props-conf-not-being-honored-for-udp-514-data-sources.html

NEW QUESTION 19
Which setting in indexes.conf allows data retention to be controlled by time?

• A. maxDaysToKeep
• B. moveToFrozenAfter
• C. maxDataRetentionTime
• D. frozenTimePeriodInSecs

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/SmartStoredataretention

NEW QUESTION 20
This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf [monitor:///var/log/messages]
sourcetype=syslog
index=syslog
A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file:
/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
[monitor:///var/log/maillog] sourcetype=maillog index=syslog
Which file is now monitored?

• A. /var/log/messages
• B. /var/log/maillog
• C. /var/log/maillog and /var/log/messages
• D. none of the above

Answer: C

NEW QUESTION 21
What hardware attribute would you need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

• A. Disk
• B. CPUs
• C. Memory
• D. Network interface cards

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCarchitecture

NEW QUESTION 22
How often does Splunk recheck the LDAP server?

• A. Every 5 minutes.
• B. Each time a user logs in.
• C. Each time Splunk is restarted.
• D. Varies based on LDAP_refresh setting.

Answer: D

Explanation:
Reference: http://docshare02.docshare.tips/files/22651/226514302.pdf

NEW QUESTION 23
Which parent directory contains the configuration files in Splunk?

• A. $SPLUNK_HOME/etc
• B. $SPLUNK_HOME/var
• C. $SPLUNK_HOME/conf
• D. $SPLUNK_HOME/default

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

NEW QUESTION 24
......