Splunk SPLK-1003 Practice Test - Questions Answers, Page 19

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

Which scenario is applicable given the stanzas in authentication.conf below?

[authentication]

externalTwoFactorAuthVendor = Duo

externalTwoFactorAuthSettings = duoMFA

[duoMFA]

integrationKey = aGFwcHliaXJ0aGRheU1pZGR5

secretKey = YXVzdHJhaWxpYW5Gb3JHcmVw

applicationKey = c3BsaW5raW5ndGhlcGx1bWJ1c3NpbmN1OTU

apiHostname = 466993018.duosecurity.com

failOpen = True

timeout = 60

Which of the following is a valid method to create a Splunk user?

An admin oversees an environment with a 1000 GBI day license. The configuration file server.conf has strict pool quota=false set. The license is divided into the following three pools, and today's usage is shown on the right-hand column:

Pool License Size Today's usage

X 500 GB/day 100 GB

Y 350 GB/day 400 GB

Z 150 GB/day 300 GB

Given this, which pool(s) are issued warnings?

When enabling data integrity control, where does Splunk Enterprise store the hash files for each bucket?

Which of the following is an acceptable channel value when using the HTTP Event Collector indexer acknowledgment capability?

There is a file with a vast amount of old data. Which of the following inputs.conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?

An admin updates the Role to Group mapping for external authentication. How does the change affect users that are currently logged into Splunk?