ExamGecko
Search Search Login
Home Home / Splunk / SPLK-1003

Splunk SPLK-1003 Practice Test - Questions Answers, Page 2

Question list
Search
Search

List of questions

Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309 Event: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
Which is a valid stanza for a network input?
In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?
What are the minimum required settings when creating a network input in Splunk?
Consider the following stanza in inputs.conf: What will the value of the source filed be for events generated by this scripts input?
Local user accounts created in Splunk store passwords in which file?
Which Splunk component(s) would break a stream of syslog inputs into individual events? (select all that apply)
User role inheritance allows what to be inherited from the parent role? (select all that apply)
Running this search in a distributed environment: On what Splunk component does the eval command get executed?
Which of the following Splunk components require a separate installation package?

Question 11

Report
Export
Collapse

When are knowledge bundles distributed to search peers?

A.
After a user logs in.
A.
After a user logs in.
Answers
B.
When Splunk is restarted.
B.
When Splunk is restarted.
Answers
C.
When adding a new search peer.
C.
When adding a new search peer.
Answers
D.
When a distributed search is initiated.
D.
When a distributed search is initiated.
Answers
Suggested answer: D

Explanation:

"The search head replicates the knowledge bundle periodically in the background or when initiating a search. " "As part of the distributed search process, the search head replicates and distributes its knowledge objects to its search peers, or indexers. Knowledge objects include saved searches, event types, and other entities used in searching accorss indexes. The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf." Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/Whatsearchheadssend

Question 12

Report
Export
Collapse

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint information for that file?

A.
_audit
A.
_audit
Answers
B.
_checkpoint
B.
_checkpoint
Answers
C.
_introspection
C.
_introspection
Answers
D.
_thefishbucket
D.
_thefishbucket
Answers
Suggested answer: D

Explanation:

--reset Reset the fishbucket for the given key or file in the btree. Resetting the checkpoint for an active monitor input reindexes data, resulting in increased license use.

https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/CommandlinetoolsforusewithSupport

Reference: http://docshare02.docshare.tips/files/4773/47733589.pdf

Question 13

Report
Export
Collapse

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

A.
index=main
A.
index=main
Answers
B.
index=test
B.
index=test
Answers
C.
index=summary
C.
index=summary
Answers
D.
index=_internal
D.
index=_internal
Answers
Suggested answer: D

Explanation:

Reference:

https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Validateyourconfiguration

Question 14

Report
Export
Collapse

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that apply.)

A.
Index once.
A.
Index once.
Answers
B.
Monitor interval.
B.
Monitor interval.
Answers
C.
On-demand monitor.
C.
On-demand monitor.
Answers
D.
Continuously monitor.
D.
Continuously monitor.
Answers
Suggested answer: A, D

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

The fastest way to add data to your Splunk Cloud instance or Splunk Enterprise deployment is to use Splunk Web. After you access the Add Data page, choose one of three options for getting data into your Splunk platform deployment with Splunk Web: (1) Upload, (2) Monitor, (3) Forward The Upload option lets you upload a file or archive of files for indexing. When you choose Upload option, Splunk Web opens the upload process page. Monitor. For Splunk Enterprise installations, the Monitor option lets you monitor one or more files, directories, network streams, scripts, Event Logs (on Windows hosts only), performance metrics, or any other type of machine data that the Splunk Enterprise instance has access to.

Question 15

Report
Export
Collapse

What is the valid option for a [monitor] stanza in inputs.conf?

A.
enabled
A.
enabled
Answers
B.
datasource
B.
datasource
Answers
C.
server_name
C.
server_name
Answers
D.
ignoreOlderThan
D.
ignoreOlderThan
Answers
Suggested answer: D

Explanation:

Setting: ignoreOlderThan = <time_window> Description: "Causes the input to stop checking files for updates if the file modification time has passed the <time_window> threshold." Default: 0 (disabled) Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Monitorfilesanddirectorieswithinputs.conf

Question 16

Report
Export
Collapse

Which of the following is a benefit of distributed search?

A.
Peers run search in sequence.
A.
Peers run search in sequence.
Answers
B.
Peers run search in parallel.
B.
Peers run search in parallel.
Answers
C.
Resilience from indexer failure.
C.
Resilience from indexer failure.
Answers
D.
Resilience from search head failure.
D.
Resilience from search head failure.
Answers
Suggested answer: B

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch

Parallel reduce search processing If you struggle with extremely large high-cardinality searches, you might be able to apply parallel reduce processing to them to help them complete faster. You must have a distributed search environment to use parallel reduce search processing.

Question 17

Report
Export
Collapse

The CLI command splunk add forward-server indexer:<receiving-port> will create stanza(s) in which configuration file?

A.
inputs.conf
A.
inputs.conf
Answers
B.
indexes.conf
B.
indexes.conf
Answers
C.
outputs.conf
C.
outputs.conf
Answers
D.
servers.conf
D.
servers.conf
Answers
Suggested answer: C

Explanation:

The CLI command "Splunk add forward-server indexer:<receiving-port>" is used to define the indexer and the listening port on forwards. The command creates this kind of entry "[tcpout-server://<ip address>:<port>]" in the outputs.conf file.

https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configureforwardingwithoutputs.conf

Reference: https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Enableareceiver

Question 18

Report
Export
Collapse

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

A.
host
A.
host
Answers
B.
index
B.
index
Answers
C.
linecount
C.
linecount
Answers
D.
splunk_server
D.
splunk_server
Answers
Suggested answer: D

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server

The splunk server field contains the name of the Splunk server containing the event. Useful in a distributed Splunk environment. Example: Restrict a search to the main index on a server named remote. splunk_server=remote index=main 404

Question 19

Report
Export
Collapse

Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678.

Which configuration file and stanza pair will mask possible SSNs in the log events?

A.
props.conf[mask-SSN]REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2KEY = _raw
A.
props.conf[mask-SSN]REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2KEY = _raw
Answers
B.
props.conf[mask-SSN]REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw
B.
props.conf[mask-SSN]REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw
Answers
C.
transforms.conf[mask-SSN]REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw
C.
transforms.conf[mask-SSN]REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw
Answers
D.
transforms.conf[mask-SSN]REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw
D.
transforms.conf[mask-SSN]REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw
Answers
Suggested answer: D

Explanation:

because transforms.conf is the right configuration file to state the regex expression.

https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf

Reference: https://community.splunk.com/t5/Archive/How-to-mask-SSN-into-our-logs-going-into-Splunk/tdp/433035

Question 20

Report
Export
Collapse

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component would the fishbucket need to be reset in order to reindex the data?

A.
Indexer
A.
Indexer
Answers
B.
Forwarder
B.
Forwarder
Answers
C.
Search head
C.
Search head
Answers
D.
Deployment server
D.
Deployment server
Answers
Suggested answer: A

Explanation:

https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html

"Every Splunk instance has a fishbucket index, except the lightest of hand-tuned lightweight forwarders, and if you index a lot of files it can get quite large. As any other index, you can change the retention policy to control the size via indexes.conf" Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/tdp/93310

Total 185 questions
Go to page: of 19
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms