ExamGecko
Home / Splunk / SPLK-1003
Ask Question

Splunk SPLK-1003 Practice Test - Questions Answers, Page 2

Question list
Search

List of questions

Search

Question 11

Report
Export
Collapse

When are knowledge bundles distributed to search peers?

After a user logs in.
After a user logs in.
When Splunk is restarted.
When Splunk is restarted.
When adding a new search peer.
When adding a new search peer.
When a distributed search is initiated.
When a distributed search is initiated.
Suggested answer: D

Explanation:

"The search head replicates the knowledge bundle periodically in the background or when initiating a search. " "As part of the distributed search process, the search head replicates and distributes its knowledge objects to its search peers, or indexers. Knowledge objects include saved searches, event types, and other entities used in searching accorss indexes. The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf." Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/Whatsearchheadssend

asked 23/09/2024
Ricardo Monsalve
38 questions

Question 12

Report
Export
Collapse

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint information for that file?

_audit
_audit
_checkpoint
_checkpoint
_introspection
_introspection
_thefishbucket
_thefishbucket
Suggested answer: D

Explanation:

--reset Reset the fishbucket for the given key or file in the btree. Resetting the checkpoint for an active monitor input reindexes data, resulting in increased license use.

https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/CommandlinetoolsforusewithSupport

Reference: http://docshare02.docshare.tips/files/4773/47733589.pdf

asked 23/09/2024
Reinhard KOhl
38 questions

Question 13

Report
Export
Collapse

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

index=main
index=main
index=test
index=test
index=summary
index=summary
index=_internal
index=_internal
Suggested answer: D

Explanation:

Reference:

https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Validateyourconfiguration

asked 23/09/2024
Pablo Fernandez Rada
36 questions

Question 14

Report
Export
Collapse

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that apply.)

Index once.
Index once.
Monitor interval.
Monitor interval.
On-demand monitor.
On-demand monitor.
Continuously monitor.
Continuously monitor.
Suggested answer: A, D

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

The fastest way to add data to your Splunk Cloud instance or Splunk Enterprise deployment is to use Splunk Web. After you access the Add Data page, choose one of three options for getting data into your Splunk platform deployment with Splunk Web: (1) Upload, (2) Monitor, (3) Forward The Upload option lets you upload a file or archive of files for indexing. When you choose Upload option, Splunk Web opens the upload process page. Monitor. For Splunk Enterprise installations, the Monitor option lets you monitor one or more files, directories, network streams, scripts, Event Logs (on Windows hosts only), performance metrics, or any other type of machine data that the Splunk Enterprise instance has access to.

asked 23/09/2024
Ankit Singh
35 questions

Question 15

Report
Export
Collapse

What is the valid option for a [monitor] stanza in inputs.conf?

enabled
enabled
datasource
datasource
server_name
server_name
ignoreOlderThan
ignoreOlderThan
Suggested answer: D

Explanation:

Setting: ignoreOlderThan = <time_window> Description: "Causes the input to stop checking files for updates if the file modification time has passed the <time_window> threshold." Default: 0 (disabled) Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Monitorfilesanddirectorieswithinputs.conf

asked 23/09/2024
Lucia Montero Tejeda
37 questions

Question 16

Report
Export
Collapse

Which of the following is a benefit of distributed search?

Peers run search in sequence.
Peers run search in sequence.
Peers run search in parallel.
Peers run search in parallel.
Resilience from indexer failure.
Resilience from indexer failure.
Resilience from search head failure.
Resilience from search head failure.
Suggested answer: B

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch

Parallel reduce search processing If you struggle with extremely large high-cardinality searches, you might be able to apply parallel reduce processing to them to help them complete faster. You must have a distributed search environment to use parallel reduce search processing.

asked 23/09/2024
Nenad Celikovic
38 questions

Question 17

Report
Export
Collapse

The CLI command splunk add forward-server indexer:<receiving-port> will create stanza(s) in which configuration file?

inputs.conf
inputs.conf
indexes.conf
indexes.conf
outputs.conf
outputs.conf
servers.conf
servers.conf
Suggested answer: C

Explanation:

The CLI command "Splunk add forward-server indexer:<receiving-port>" is used to define the indexer and the listening port on forwards. The command creates this kind of entry "[tcpout-server://<ip address>:<port>]" in the outputs.conf file.

https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configureforwardingwithoutputs.conf

Reference: https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Enableareceiver

asked 23/09/2024
Rocky Lott
32 questions

Question 18

Report
Export
Collapse

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

host
host
index
index
linecount
linecount
splunk_server
splunk_server
Suggested answer: D

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server

The splunk server field contains the name of the Splunk server containing the event. Useful in a distributed Splunk environment. Example: Restrict a search to the main index on a server named remote. splunk_server=remote index=main 404

asked 23/09/2024
adnan reubin
30 questions

Question 19

Report
Export
Collapse

Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678.

Which configuration file and stanza pair will mask possible SSNs in the log events?

props.conf[mask-SSN]REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2KEY = _raw
props.conf[mask-SSN]REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2KEY = _raw
props.conf[mask-SSN]REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw
props.conf[mask-SSN]REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw
transforms.conf[mask-SSN]REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw
transforms.conf[mask-SSN]REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw
transforms.conf[mask-SSN]REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw
transforms.conf[mask-SSN]REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw
Suggested answer: D

Explanation:

because transforms.conf is the right configuration file to state the regex expression.

https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf

Reference: https://community.splunk.com/t5/Archive/How-to-mask-SSN-into-our-logs-going-into-Splunk/tdp/433035

asked 23/09/2024
Houshang Ardekani
39 questions

Question 20

Report
Export
Collapse

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component would the fishbucket need to be reset in order to reindex the data?

Indexer
Indexer
Forwarder
Forwarder
Search head
Search head
Deployment server
Deployment server
Suggested answer: A

Explanation:

https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html

"Every Splunk instance has a fishbucket index, except the lightest of hand-tuned lightweight forwarders, and if you index a lot of files it can get quite large. As any other index, you can change the retention policy to control the size via indexes.conf" Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/tdp/93310

asked 23/09/2024
Okan YILDIZ
39 questions
Total 189 questions
Go to page: of 19