ExamGecko
Search Search Login
Home Home / Splunk / SPLK-1003

Splunk SPLK-1003 Practice Test - Questions Answers, Page 10

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309 Event: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
Which is a valid stanza for a network input?
In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?
What are the minimum required settings when creating a network input in Splunk?
Consider the following stanza in inputs.conf: What will the value of the source filed be for events generated by this scripts input?
Local user accounts created in Splunk store passwords in which file?
Which Splunk component(s) would break a stream of syslog inputs into individual events? (select all that apply)
Running this search in a distributed environment: On what Splunk component does the eval command get executed?
User role inheritance allows what to be inherited from the parent role? (select all that apply)
Which of the following Splunk components require a separate installation package?

Question 91

Report
Export
Collapse

When indexing a data source, which fields are considered metadata?

A.
source, host, time
A.
source, host, time
Answers
B.
time, sourcetype, source
B.
time, sourcetype, source
Answers
C.
host, raw, sourcetype
C.
host, raw, sourcetype
Answers
D.
sourcetype, source, host
D.
sourcetype, source, host
Answers
Suggested answer: D

Explanation:

Reference:

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/SearchReference/Metadata

Question 92

Report
Export
Collapse

What is the default value of LINE_BREAKER?

A.
\r\n
A.
\r\n
Answers
B.
([\r\n]+)
B.
([\r\n]+)
Answers
C.
\r+\n+
C.
\r+\n+
Answers
D.
(\r\n+)
D.
(\r\n+)
Answers
Suggested answer: B

Explanation:

Reference:

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/Data/Configureeventlinebreaking

Line breaking, which uses the LINE_BREAKER setting to split the incoming stream of data into separate lines. By default, the LINE_BREAKER value is any sequence of newlines and carriage returns.

In regular expression format, this is represented as the following string: ([\r\n]+). You don't normally need to adjust this setting, but in cases where it's necessary, you must configure it in the props.conf configuration file on the forwarder that sends the data to Splunk Cloud Platform or a Splunk Enterprise indexer. The LINE_BREAKER setting expects a value in regular expression format.

Question 93

Report
Export
Collapse

Which of the following monitor inputs stanza headers would match all of the following files?

/var/log/www1/secure.log

/var/log/www/secure.l

/var/log/www/logs/secure.logs

/var/log/www2/secure.log

A.
[monitor:///var/log/.../secure.*
A.
[monitor:///var/log/.../secure.*
Answers
B.
[monitor:///var/log/www1/secure.*]
B.
[monitor:///var/log/www1/secure.*]
Answers
C.
[monitor:///var/log/www1/secure.log]
C.
[monitor:///var/log/www1/secure.log]
Answers
D.
[monitor:///var/log/www*/secure.*]
D.
[monitor:///var/log/www*/secure.*]
Answers
Suggested answer: C

Explanation:

Reference:

https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Monitorfilesanddirectorieswithinputs.conf

Question 94

Report
Export
Collapse

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

A.
host=server1index=unixinfo
A.
host=server1index=unixinfo
Answers
B.
host=server1index=searchinfo
B.
host=server1index=searchinfo
Answers
C.
host=searchsvr1index=searchinfo
C.
host=searchsvr1index=searchinfo
Answers
D.
host=unixsvr1index=unixinfo
D.
host=unixsvr1index=unixinfo
Answers
Suggested answer: A

Explanation:

- etc/system/local/ has better precedence at index time - for identical settings in the same file, the last one overwrite others, see : https://community.splunk.com/t5/Getting-Data-In/What-is-theprecedence-for-identical-stanzas-within-a-single/m-p/283566

Question 95

Report
Export
Collapse

An index stores its data in buckets. Which default directories does Splunk use to store buckets?

(Choose all that apply.)

A.
bucketdb
A.
bucketdb
Answers
B.
frozendb
B.
frozendb
Answers
C.
colddb
C.
colddb
Answers
D.
db
D.
db
Answers
Suggested answer: C, D

Explanation:

Reference: https://wiki.splunk.com/Deploy:BucketRotationAndRetention

Question 96

Report
Export
Collapse

The LINE_BREAKER attribute is configured in which configuration file?

A.
props.conf
A.
props.conf
Answers
B.
indexes.conf
B.
indexes.conf
Answers
C.
inpucs.conf
C.
inpucs.conf
Answers
D.
transforms.conf
D.
transforms.conf
Answers
Suggested answer: A

Explanation:

Reference:

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/Data/Configureeventlinebreaking

Question 97

Report
Export
Collapse

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

A.
channelTTL
A.
channelTTL
Answers
B.
connectionTimeout
B.
connectionTimeout
Answers
C.
autoLBFrequency
C.
autoLBFrequency
Answers
D.
secsInFailurelnterval
D.
secsInFailurelnterval
Answers
Suggested answer: C

Explanation:

Reference:

https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/Configureloadbalancing

Question 98

Report
Export
Collapse

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

A.
followTail = -45d
A.
followTail = -45d
Answers
B.
ignore = 45d
B.
ignore = 45d
Answers
C.
includeNewerThan = -35d
C.
includeNewerThan = -35d
Answers
D.
ignoreOlderThan = 45d
D.
ignoreOlderThan = 45d
Answers
Suggested answer: D

Explanation:

Reference:

https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Configuretimestamprecognition

Question 99

Report
Export
Collapse

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A.
90 days
A.
90 days
Answers
B.
60 days
B.
60 days
Answers
C.
7 days
C.
7 days
Answers
D.
14 days
D.
14 days
Answers
Suggested answer: B

Explanation:

Reference: https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/MoreaboutSplunkFree

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 100

Report
Export
Collapse

Consider a company with a Splunk distributed environment in production. The Compliance Department wants to start using Splunk; however, they want to ensure that no one can see their reports or any other knowledge objects. Which Splunk Component can be added to implement this policy for the new team?

A.
Indexer
A.
Indexer
Answers
B.
Deployment server
B.
Deployment server
Answers
C.
Universal forwarder
C.
Universal forwarder
Answers
D.
Search head
D.
Search head
Answers
Suggested answer: D
Total 185 questions
Go to page: of 19
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms