Splunk SPLK-1003 Practice Test - Questions Answers, Page 3
List of questions
Related questions
Question 21

How can native authentication be disabled in Splunk?
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Secureyouradminaccount
Question 22

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require multiple indexers. Following best practices, which types of Splunk component instances are needed?
Explanation:
Indexers, search head, deployment server, license master, universal forwarder. This is the combination of Splunk component instances that are needed to handle the volume of data from collecting log files from 50 Linux servers and 200 Windows servers, following the best practices. The roles and functions of these components are:
Indexers: These are the Splunk instances that index the data and make it searchable. They also perform some data processing, such as timestamp extraction, line breaking, and field extraction.
Multiple indexers can be clustered together to provide high availability, data replication, and load balancing.
Search head: This is the Splunk instance that coordinates the search across the indexers and merges the results from them. It also provides the user interface for searching, reporting, and dashboarding.
A search head can also be clustered with other search heads to provide high availability, scalability, and load balancing.
Deployment server: This is the Splunk instance that manages the configuration and app deployment for the universal forwarders. It allows the administrator to centrally control the inputs.conf, outputs.conf, and other configuration files for the forwarders, as well as distribute apps and updates to them.
License master: This is the Splunk instance that manages the licensing for the entire Splunk deployment. It tracks the license usage of all the Splunk instances and enforces the license limits and violations. It also allows the administrator to add, remove, or change licenses.
Universal forwarder: These are the lightweight Splunk instances that collect data from various sources and forward it to the indexers or other forwarders. They do not index or parse the data, but only perform minimal processing, such as compression and encryption. They are installed on the Linux and Windows servers that generate the log files.
Question 23

Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)
Explanation:
https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Configuretheuniversalforwarder
--Key configuration files are: inputs.conf controls how the forwarder collects data. outputs.conf controls how the forwarder sends data to an indexer or other forwarder server.conf for connection and performance tuning deploymentclient.conf for connecting to a deployment server Reference: https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/ Configuretheuniversalforwarder
Question 24

On the deployment server, administrators can map clients to server classes using client filters. Which of the following statements is accurate?
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients
Reference: https://community.splunk.com/t5/Getting-Data-In/Can-I-use-both-the-whitelist-ANDblacklist-forthesame/td-p/390910
Question 25

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata
Per the provided Splunk reference URL by @hwangho, scroll to section Forward search head data, subsection titled, 2. Configure the search head as a forwarder. "Create an outputs.conf file on the search head that configures the search head for load-balanced forwarding across the set of search peers (indexers)."
Reference: https://community.splunk.com/t5/Getting-Data-In/How-to-configure-search-head-toforwardinternal-data-to-the/td-p/111658
Question 26

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?
Explanation:
Per the provided Splunk reference URL
https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck
"While HEC has precautions in place to prevent data loss, it's impossible to completely prevent such an occurrence, especially in the event of a network failure or hardware crash. This is where indexer acknolwedgment comes in."
Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck
Question 27

Which Splunk component performs indexing and responds to search requests from the search head?
Explanation:
https://docs.splunk.com/Splexicon:Searchpeer
"A Splunk platform instance that responses to search requests from a search head. The term "Search peer" is usually synonymous with the indexer role in a distributed search topology..."
Question 28

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?
Explanation:
<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>
https://docs.splunk.com/Splexicon:Serverclass
Question 29

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?
Event example:
Explanation:
https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition
"Specify how far (how many characters) into an event Splunk software should look for a timestamp." since TIME_PREFIX = ^ and timestamp is from 0-29 position, so D=30 will pick up the WHOLE timestamp correctly.
Question 30

Which of the following are required when defining an index in indexes. conf? (select all that apply)
Explanation:
homePath = $SPLUNK_DB/hatchdb/db
coldPath = $SPLUNK_DB/hatchdb/colddb
thawedPath = $SPLUNK_DB/hatchdb/thaweddb
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS
Question