ExamGecko
Login
Home / Splunk / SPLK-1003
Ask Question

SPLK-1003: Splunk Enterprise Certified Admin

Vendor:
Exam Questions:
189
 Learners
  2.370
Last Updated
February - 2025
Language
English
5 Quizzes
PDF | VPLUS
This study guide should help you understand what to expect on the exam and includes a summary of the topics the exam might cover and links to additional resources. The information and materials in this document should help you focus your studies as you prepare for the exam.

Related questions

Question 1

Report Export Collapse

In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?

Become a Premium Member for full access
  Unlock Premium Member

Question 2

Report Export Collapse

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21]

VendorID=1234 Code=B AcctID=xxx5309

Event:

[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g
SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g
SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g
SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g
SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g
SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g
SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g
SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g
Suggested answer: D
Explanation:

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata

Scrolling down to the section titled "Define the sed script in props.conf shows the correct syntax of an example which validates that the number/character /1 immediately preceded the /g

asked 23/09/2024
souhaib chabchoub
37 questions

Question 3

Report Export Collapse

Which of the following statements describe deployment management? (select all that apply)

Requires an Enterprise license
Requires an Enterprise license
Is responsible for sending apps to forwarders.
Is responsible for sending apps to forwarders.
Once used, is the only way to manage forwarders
Once used, is the only way to manage forwarders
Can automatically restart the host OS running the forwarder.
Can automatically restart the host OS running the forwarder.
Suggested answer: A, B
Explanation:

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%2 0requirements,do%20not%20index%20external%20data.

"All Splunk Enterprise instances functioning as management components needs access to an Enterprise license. Management components include the deployment server, the indexer cluster manager node, the search head cluster deployer, and the monitoring console."

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

"The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances."

asked 23/09/2024
ABCO TECHNOLOGY
32 questions

Question 4

Report Export Collapse

Which is a valid stanza for a network input?

[udp://172.16.10.1:9997]connection = dnssourcetype = dns
[udp://172.16.10.1:9997]connection = dnssourcetype = dns
[any://172.16.10.1:10001]connection_host = ipsourcetype = web
[any://172.16.10.1:10001]connection_host = ipsourcetype = web
[tcp://172.16.10.1:9997]connection_host = websourcetype = web
[tcp://172.16.10.1:9997]connection_host = websourcetype = web
[tcp://172.16.10.1:10001]connection_host = dnssourcetype = dns
[tcp://172.16.10.1:10001]connection_host = dnssourcetype = dns
Suggested answer: D
Explanation:

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports

Reference: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2006/Data/Bypassautomaticsourcetypeassignment

asked 23/09/2024
Alberto Castillo
35 questions

Question 5

Report Export Collapse

What are the minimum required settings when creating a network input in Splunk?

Protocol, port number
Protocol, port number
Protocol, port, location
Protocol, port, location
Protocol, username, port
Protocol, username, port
Protocol, IP. port number
Protocol, IP. port number
Suggested answer: A
Explanation:

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf

[tcp://<remote server>:<port>]

*Configures the input to listen on a specific TCP network port.

*If a <remote server> makes a connection to this instance, the input uses this stanza to configure itself.

*If you do not specify <remote server>, this stanza matches all connections on the specified port.

*Generates events with source set to "tcp:<port>", for example: tcp:514

*If you do not specify a sourcetype, generates events with sourcetype set to "tcp-raw"

asked 23/09/2024
Jarrell John Garcia
37 questions

Question 6

Report Export Collapse

Consider the following stanza in inputs.conf:

Splunk SPLK-1003 image Question 104 75412 09232024004541000000

What will the value of the source filed be for events generated by this scripts input?

/opt/splunk/ecc/apps/search/bin/liscer.sh
/opt/splunk/ecc/apps/search/bin/liscer.sh
unknown
unknown
liscer
liscer
liscer.sh
liscer.sh
Suggested answer: A
Explanation:

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Inputsconf

-Scroll down to source = <string>

*Default: the input file path

asked 23/09/2024
Instel SL
28 questions

Question 7

Report Export Collapse

Local user accounts created in Splunk store passwords in which file?

$ SFLUNK_HOME/etc/passwd
$ SFLUNK_HOME/etc/passwd
$ SFLUNK_HOME/etc/authentication
$ SFLUNK_HOME/etc/authentication
$ S?LUNK_HOME/etc/users/passwd.conf
$ S?LUNK_HOME/etc/users/passwd.conf
$ SPLUNK HOME/etc/users/authentication.conf
$ SPLUNK HOME/etc/users/authentication.conf
Suggested answer: A
Explanation:

Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Userseedconf "To set the default username and password, place user-seed.conf in $SPLUNK_HOME/etc/system/local. You must restart Splunk to enable configurations. If the $SPLUNK_HOME/etc/passwd file is present, the settings in this file (user-seed.conf) are not used."

asked 23/09/2024
Selladurai Ravi
42 questions

Question 8

Report Export Collapse

Running this search in a distributed environment:

Splunk SPLK-1003 image Question 146 75454 09232024004542000000

On what Splunk component does the eval command get executed?

Become a Premium Member for full access
  Unlock Premium Member

Question 9

Report Export Collapse

Which file will be matched for the following monitor stanza in inputs. conf?

Become a Premium Member for full access
  Unlock Premium Member

Question 10

Report Export Collapse

Within props. conf, which stanzas are valid for data modification? (select all that apply)

Host
Host
Server
Server
Source
Source
Sourcetype
Sourcetype
Suggested answer: A, C, D
Explanation:

https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf

"* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts." https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

asked 23/09/2024
Michel Flipse
41 questions