ExamGecko
Search Search Login
Home Home / Splunk / SPLK-1003

Splunk SPLK-1003 Practice Test - Questions Answers, Page 3

Question list
Search
Search
Open VPLUS File
Convert VPLUS to PDF

Related questions

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309 Event: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
Which is a valid stanza for a network input?
In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?
What are the minimum required settings when creating a network input in Splunk?
Consider the following stanza in inputs.conf: What will the value of the source filed be for events generated by this scripts input?
Local user accounts created in Splunk store passwords in which file?
Which Splunk component(s) would break a stream of syslog inputs into individual events? (select all that apply)
Running this search in a distributed environment: On what Splunk component does the eval command get executed?
User role inheritance allows what to be inherited from the parent role? (select all that apply)
Which of the following Splunk components require a separate installation package?

Question 21

Report
Export
Collapse

How can native authentication be disabled in Splunk?

A.
Remove the $SPLUNK_HOME/etc/passwd file
A.
Remove the $SPLUNK_HOME/etc/passwd file
Answers
B.
Create an empty $SPLUNK_HOME/etc/passwd file
B.
Create an empty $SPLUNK_HOME/etc/passwd file
Answers
C.
Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf
C.
Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf
Answers
D.
Set nativeAuthentication=false in authentication.conf
D.
Set nativeAuthentication=false in authentication.conf
Answers
Suggested answer: B

Explanation:

Reference:

https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Secureyouradminaccount

Question 22

Report
Export
Collapse

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require multiple indexers. Following best practices, which types of Splunk component instances are needed?

A.
Indexers, search head, universal forwarders, license master
A.
Indexers, search head, universal forwarders, license master
Answers
B.
Indexers, search head, deployment server, universal forwarders
B.
Indexers, search head, deployment server, universal forwarders
Answers
C.
Indexers, search head, deployment server, license master, universal forwarder
C.
Indexers, search head, deployment server, license master, universal forwarder
Answers
D.
Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder
D.
Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder
Answers
Suggested answer: C

Explanation:

Indexers, search head, deployment server, license master, universal forwarder. This is the combination of Splunk component instances that are needed to handle the volume of data from collecting log files from 50 Linux servers and 200 Windows servers, following the best practices. The roles and functions of these components are:

Indexers: These are the Splunk instances that index the data and make it searchable. They also perform some data processing, such as timestamp extraction, line breaking, and field extraction.

Multiple indexers can be clustered together to provide high availability, data replication, and load balancing.

Search head: This is the Splunk instance that coordinates the search across the indexers and merges the results from them. It also provides the user interface for searching, reporting, and dashboarding.

A search head can also be clustered with other search heads to provide high availability, scalability, and load balancing.

Deployment server: This is the Splunk instance that manages the configuration and app deployment for the universal forwarders. It allows the administrator to centrally control the inputs.conf, outputs.conf, and other configuration files for the forwarders, as well as distribute apps and updates to them.

License master: This is the Splunk instance that manages the licensing for the entire Splunk deployment. It tracks the license usage of all the Splunk instances and enforces the license limits and violations. It also allows the administrator to add, remove, or change licenses.

Universal forwarder: These are the lightweight Splunk instances that collect data from various sources and forward it to the indexers or other forwarders. They do not index or parse the data, but only perform minimal processing, such as compression and encryption. They are installed on the Linux and Windows servers that generate the log files.

Question 23

Report
Export
Collapse

Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)

A.
inputs.conf
A.
inputs.conf
Answers
B.
monitor.conf
B.
monitor.conf
Answers
C.
outputs.conf
C.
outputs.conf
Answers
D.
forwarder.conf
D.
forwarder.conf
Answers
Suggested answer: A, C

Explanation:

https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Configuretheuniversalforwarder

--Key configuration files are: inputs.conf controls how the forwarder collects data. outputs.conf controls how the forwarder sends data to an indexer or other forwarder server.conf for connection and performance tuning deploymentclient.conf for connecting to a deployment server Reference: https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/ Configuretheuniversalforwarder

Question 24

Report
Export
Collapse

On the deployment server, administrators can map clients to server classes using client filters. Which of the following statements is accurate?

A.
The blacklist takes precedence over the whitelist.
A.
The blacklist takes precedence over the whitelist.
Answers
B.
The whitelist takes precedence over the blacklist.
B.
The whitelist takes precedence over the blacklist.
Answers
C.
Wildcards are not supported in any client filters.
C.
Wildcards are not supported in any client filters.
Answers
D.
Machine type filters are applied before the whitelist and blacklist.
D.
Machine type filters are applied before the whitelist and blacklist.
Answers
Suggested answer: A

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

Reference: https://community.splunk.com/t5/Getting-Data-In/Can-I-use-both-the-whitelist-ANDblacklist-forthesame/td-p/390910

Question 25

Report
Export
Collapse

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

A.
props.conf
A.
props.conf
Answers
B.
inputs.conf
B.
inputs.conf
Answers
C.
outputs.conf
C.
outputs.conf
Answers
D.
collections.conf
D.
collections.conf
Answers
Suggested answer: C

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Per the provided Splunk reference URL by @hwangho, scroll to section Forward search head data, subsection titled, 2. Configure the search head as a forwarder. "Create an outputs.conf file on the search head that configures the search head for load-balanced forwarding across the set of search peers (indexers)."

Reference: https://community.splunk.com/t5/Getting-Data-In/How-to-configure-search-head-toforwardinternal-data-to-the/td-p/111658

Question 26

Report
Export
Collapse

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

A.
Enable indexer acknowledgment.
A.
Enable indexer acknowledgment.
Answers
B.
Enable forwarder acknowledgment.
B.
Enable forwarder acknowledgment.
Answers
C.
splunk check-integrity -index <index name>
C.
splunk check-integrity -index <index name>
Answers
D.
index=_internal component=ACK | stats count by host
D.
index=_internal component=ACK | stats count by host
Answers
Suggested answer: A

Explanation:

Per the provided Splunk reference URL

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

"While HEC has precautions in place to prevent data loss, it's impossible to completely prevent such an occurrence, especially in the event of a network failure or hardware crash. This is where indexer acknolwedgment comes in."

Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Question 27

Report
Export
Collapse

Which Splunk component performs indexing and responds to search requests from the search head?

A.
Forwarder
A.
Forwarder
Answers
B.
Search peer
B.
Search peer
Answers
C.
License master
C.
License master
Answers
D.
Search head cluster
D.
Search head cluster
Answers
Suggested answer: B

Explanation:

https://docs.splunk.com/Splexicon:Searchpeer

"A Splunk platform instance that responses to search requests from a search head. The term "Search peer" is usually synonymous with the indexer role in a distributed search topology..."

Question 28

Report
Export
Collapse

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

A.
App Class
A.
App Class
Answers
B.
Client Class
B.
Client Class
Answers
C.
Server Class
C.
Server Class
Answers
D.
Forwarder Class
D.
Forwarder Class
Answers
Suggested answer: C

Explanation:

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 29

Report
Export
Collapse

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

A.
MAX_TIMESTAMP_L0CKAHEAD = 5
A.
MAX_TIMESTAMP_L0CKAHEAD = 5
Answers
B.
MAX_TIMESTAMP_LOOKAHEAD - 10
B.
MAX_TIMESTAMP_LOOKAHEAD - 10
Answers
C.
MAX_TIMESTAMF_LOOKHEAD = 20
C.
MAX_TIMESTAMF_LOOKHEAD = 20
Answers
D.
MAX TIMESTAMP LOOKAHEAD - 30
D.
MAX TIMESTAMP LOOKAHEAD - 30
Answers
Suggested answer: D

Explanation:

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

"Specify how far (how many characters) into an event Splunk software should look for a timestamp." since TIME_PREFIX = ^ and timestamp is from 0-29 position, so D=30 will pick up the WHOLE timestamp correctly.

Question 30

Report
Export
Collapse

Which of the following are required when defining an index in indexes. conf? (select all that apply)

A.
coldPath
A.
coldPath
Answers
B.
homePath
B.
homePath
Answers
C.
frozenPath
C.
frozenPath
Answers
D.
thawedPath
D.
thawedPath
Answers
Suggested answer: A, B, D

Explanation:

homePath = $SPLUNK_DB/hatchdb/db

coldPath = $SPLUNK_DB/hatchdb/colddb

thawedPath = $SPLUNK_DB/hatchdb/thaweddb

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

Total 185 questions
Go to page: of 19
ExamGecko

Copyright @2023 ExamGecko | All right reserved

Mail us: [email protected]
About us
Contact us
Twitter X
Facebook
Medium
Convert VPLUS to PDF
Open VPLUS files Easily and Quickly
Privacy Policy
Disclaimer
Terms