ExamGecko
Search Search Login
Home Home / Splunk / SPLK-1003

Splunk SPLK-1003 Practice Test - Questions Answers

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309 Event: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
Which is a valid stanza for a network input?
In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?
What are the minimum required settings when creating a network input in Splunk?
Consider the following stanza in inputs.conf: What will the value of the source filed be for events generated by this scripts input?
Local user accounts created in Splunk store passwords in which file?
Which Splunk component(s) would break a stream of syslog inputs into individual events? (select all that apply)
Running this search in a distributed environment: On what Splunk component does the eval command get executed?
User role inheritance allows what to be inherited from the parent role? (select all that apply)
Which of the following Splunk components require a separate installation package?

Question 1

Report
Export
Collapse

Which valid bucket types are searchable? (select all that apply)

A.
Hot buckets
A.
Hot buckets
Answers
B.
Cold buckets
B.
Cold buckets
Answers
C.
Warm buckets
C.
Warm buckets
Answers
D.
Frozen buckets
D.
Frozen buckets
Answers
Suggested answer: A, B, C

Explanation:

Hot/warm/cold/thawed bucket types are searchable. Frozen isn't searchable because its either deleted at that state or archived.

Question 2

Report
Export
Collapse

How do you remove missing forwarders from the Monitoring Console?

A.
By restarting Splunk.
A.
By restarting Splunk.
Answers
B.
By rescanning active forwarders.
B.
By rescanning active forwarders.
Answers
C.
By reloading the deployment server.
C.
By reloading the deployment server.
Answers
D.
By rebuilding the forwarder asset table.
D.
By rebuilding the forwarder asset table.
Answers
Suggested answer: D

Question 3

Report
Export
Collapse

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

A.
Any OS platform
A.
Any OS platform
Answers
B.
Linux platform only
B.
Linux platform only
Answers
C.
Windows platform only.
C.
Windows platform only.
Answers
D.
None of the above.
D.
None of the above.
Answers
Suggested answer: A

Explanation:

"The forwarder/indexer relationship can be considered platform agnostic (within the sphere of supported platforms) because they exchange their data handshake (and the data, if you wish) over TCP.

Question 4

Report
Export
Collapse

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

A.
REGEX, DEST. FORMAT
A.
REGEX, DEST. FORMAT
Answers
B.
REGEX. SRC_KEY, FORMAT
B.
REGEX. SRC_KEY, FORMAT
Answers
C.
REGEX, DEST_KEY, FORMAT
C.
REGEX, DEST_KEY, FORMAT
Answers
D.
REGEX, DEST_KEY FORMATTING
D.
REGEX, DEST_KEY FORMATTING
Answers
Suggested answer: C

Explanation:

REGEX = <regular expression>

* Enter a regular expression to operate on your data.

FORMAT = <string>

* NOTE: This option is valid for both index-time and search-time field extraction. Index-time field extraction configuration require the FORMAT settings. The FORMAT settings is optional for searchtime field extraction configurations.

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = <key>

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

Question 5

Report
Export
Collapse

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A.
_license
A.
_license
Answers
B.
_lnternal
B.
_lnternal
Answers
C.
_external
C.
_external
Answers
D.
_thefishbucket
D.
_thefishbucket
Answers
Suggested answer: B, D

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 6

Report
Export
Collapse

How often does Splunk recheck the LDAP server?

A.
Every 5 minutes
A.
Every 5 minutes
Answers
B.
Each time a user logs in
B.
Each time a user logs in
Answers
C.
Each time Splunk is restarted
C.
Each time Splunk is restarted
Answers
D.
Varies based on LDAP_refresh setting.
D.
Varies based on LDAP_refresh setting.
Answers
Suggested answer: B

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP

Question 7

Report
Export
Collapse

Where are license files stored?

A.
$SPLUNK_HOME/etc/secure
A.
$SPLUNK_HOME/etc/secure
Answers
B.
$SPLUNK_HOME/etc/system
B.
$SPLUNK_HOME/etc/system
Answers
C.
$SPLUNK_HOME/etc/licenses
C.
$SPLUNK_HOME/etc/licenses
Answers
D.
$SPLUNK_HOME/etc/apps/licenses
D.
$SPLUNK_HOME/etc/apps/licenses
Answers
Suggested answer: C

Question 8

Report
Export
Collapse

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

A.
To ensure that hot buckets are still open for writes and have not been forced to roll to a cold state
A.
To ensure that hot buckets are still open for writes and have not been forced to roll to a cold state
Answers
B.
To ensure that configuration files have not been tampered with for auditing and/or legal purposes
B.
To ensure that configuration files have not been tampered with for auditing and/or legal purposes
Answers
C.
To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
C.
To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
Answers
D.
To ensure that data has not been tampered with for auditing and/or legal purposes
D.
To ensure that data has not been tampered with for auditing and/or legal purposes
Answers
Suggested answer: D

Question 9

Report
Export
Collapse

Which is a valid stanza for a network input?

A.
[udp://172.16.10.1:9997]connection = dnssourcetype = dns
A.
[udp://172.16.10.1:9997]connection = dnssourcetype = dns
Answers
B.
[any://172.16.10.1:10001]connection_host = ipsourcetype = web
B.
[any://172.16.10.1:10001]connection_host = ipsourcetype = web
Answers
C.
[tcp://172.16.10.1:9997]connection_host = websourcetype = web
C.
[tcp://172.16.10.1:9997]connection_host = websourcetype = web
Answers
D.
[tcp://172.16.10.1:10001]connection_host = dnssourcetype = dns
D.
[tcp://172.16.10.1:10001]connection_host = dnssourcetype = dns
Answers
Suggested answer: D

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports

Reference: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2006/Data/Bypassautomaticsourcetypeassignment

Question 10

Report
Export
Collapse

Which additional component is required for a search head cluster?

A.
Deployer
A.
Deployer
Answers
B.
Cluster Master
B.
Cluster Master
Answers
C.
Monitoring Console
C.
Monitoring Console
Answers
D.
Management Console
D.
Management Console
Answers
Suggested answer: A

Explanation:

Reference:

https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/SHCdeploymentoverview

The deployer. This is a Splunk Enterprise instance that distributes apps and other configurations to the cluster members. It stands outside the cluster and cannot run on the same instance as a cluster member. It can, however, under some circumstances, reside on the same instance as other Splunk Enterprise components, such as a deployment server or an indexer cluster master node.

Total 185 questions
Go to page: of 19
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms