ExamGecko
Login
Home / Splunk / SPLK-1003 / List of questions
Ask Question

Splunk SPLK-1003 Practice Test - Questions Answers

List of questions

Question 1

Report Export Collapse

Which valid bucket types are searchable? (select all that apply)

Hot buckets
Hot buckets
Cold buckets
Cold buckets
Warm buckets
Warm buckets
Frozen buckets
Frozen buckets
Suggested answer: A, B, C
Explanation:

Hot/warm/cold/thawed bucket types are searchable. Frozen isn't searchable because its either deleted at that state or archived.

asked 23/09/2024
Kinzonji Tavares
42 questions

Question 2

Report Export Collapse

How do you remove missing forwarders from the Monitoring Console?

By restarting Splunk.
By restarting Splunk.
By rescanning active forwarders.
By rescanning active forwarders.
By reloading the deployment server.
By reloading the deployment server.
By rebuilding the forwarder asset table.
By rebuilding the forwarder asset table.
Suggested answer: D
asked 23/09/2024
Chris Morris
39 questions

Question 3

Report Export Collapse

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

Any OS platform
Any OS platform
Linux platform only
Linux platform only
Windows platform only.
Windows platform only.
None of the above.
None of the above.
Suggested answer: A
Explanation:

"The forwarder/indexer relationship can be considered platform agnostic (within the sphere of supported platforms) because they exchange their data handshake (and the data, if you wish) over TCP.

asked 23/09/2024
Maria Deras
40 questions

Question 4

Report Export Collapse

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

REGEX, DEST. FORMAT
REGEX, DEST. FORMAT
REGEX. SRC_KEY, FORMAT
REGEX. SRC_KEY, FORMAT
REGEX, DEST_KEY, FORMAT
REGEX, DEST_KEY, FORMAT
REGEX, DEST_KEY FORMATTING
REGEX, DEST_KEY FORMATTING
Suggested answer: C
Explanation:

REGEX = <regular expression>

* Enter a regular expression to operate on your data.

FORMAT = <string>

* NOTE: This option is valid for both index-time and search-time field extraction. Index-time field extraction configuration require the FORMAT settings. The FORMAT settings is optional for searchtime field extraction configurations.

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = <key>

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

asked 23/09/2024
Pedro Faro
29 questions

Question 5

Report Export Collapse

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

_license
_license
_lnternal
_lnternal
_external
_external
_thefishbucket
_thefishbucket
Suggested answer: B, D
Explanation:

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

asked 23/09/2024
Peter Dunčko
40 questions

Question 6

Report Export Collapse

How often does Splunk recheck the LDAP server?

Every 5 minutes
Every 5 minutes
Each time a user logs in
Each time a user logs in
Each time Splunk is restarted
Each time Splunk is restarted
Varies based on LDAP_refresh setting.
Varies based on LDAP_refresh setting.
Suggested answer: B
Explanation:

https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP

asked 23/09/2024
Sam Krupesh
38 questions

Question 7

Report Export Collapse

Where are license files stored?

$SPLUNK_HOME/etc/secure
$SPLUNK_HOME/etc/secure
$SPLUNK_HOME/etc/system
$SPLUNK_HOME/etc/system
$SPLUNK_HOME/etc/licenses
$SPLUNK_HOME/etc/licenses
$SPLUNK_HOME/etc/apps/licenses
$SPLUNK_HOME/etc/apps/licenses
Suggested answer: C
asked 23/09/2024
Rui Carrapico
33 questions

Question 8

Report Export Collapse

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

To ensure that hot buckets are still open for writes and have not been forced to roll to a cold state
To ensure that hot buckets are still open for writes and have not been forced to roll to a cold state
To ensure that configuration files have not been tampered with for auditing and/or legal purposes
To ensure that configuration files have not been tampered with for auditing and/or legal purposes
To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
To ensure that data has not been tampered with for auditing and/or legal purposes
To ensure that data has not been tampered with for auditing and/or legal purposes
Suggested answer: D
asked 23/09/2024
Francinilo Leitao Ferreira
34 questions

Question 9

Report Export Collapse

Which is a valid stanza for a network input?

[udp://172.16.10.1:9997]connection = dnssourcetype = dns
[udp://172.16.10.1:9997]connection = dnssourcetype = dns
[any://172.16.10.1:10001]connection_host = ipsourcetype = web
[any://172.16.10.1:10001]connection_host = ipsourcetype = web
[tcp://172.16.10.1:9997]connection_host = websourcetype = web
[tcp://172.16.10.1:9997]connection_host = websourcetype = web
[tcp://172.16.10.1:10001]connection_host = dnssourcetype = dns
[tcp://172.16.10.1:10001]connection_host = dnssourcetype = dns
Suggested answer: D
Explanation:

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports

Reference: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2006/Data/Bypassautomaticsourcetypeassignment

asked 23/09/2024
Alberto Castillo
35 questions

Question 10

Report Export Collapse

Which additional component is required for a search head cluster?

Deployer
Deployer
Cluster Master
Cluster Master
Monitoring Console
Monitoring Console
Management Console
Management Console
Suggested answer: A
Explanation:

Reference:

https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/SHCdeploymentoverview

The deployer. This is a Splunk Enterprise instance that distributes apps and other configurations to the cluster members. It stands outside the cluster and cannot run on the same instance as a cluster member. It can, however, under some circumstances, reside on the same instance as other Splunk Enterprise components, such as a deployment server or an indexer cluster master node.

asked 23/09/2024
Kaddy Kabuya
47 questions
Total 189 questions
Go to page: of 19
Open VPLUS File
Convert VPLUS to PDF

Related questions

In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?
Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309 Event: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
Which of the following statements describe deployment management? (select all that apply)
Which is a valid stanza for a network input?
What are the minimum required settings when creating a network input in Splunk?
Consider the following stanza in inputs.conf: What will the value of the source filed be for events generated by this scripts input?
Local user accounts created in Splunk store passwords in which file?
Running this search in a distributed environment: On what Splunk component does the eval command get executed?
Which file will be matched for the following monitor stanza in inputs. conf?
Within props. conf, which stanzas are valid for data modification? (select all that apply)