ExamGecko
Home / Splunk / SPLK-1003
Ask Question

Splunk SPLK-1003 Practice Test - Questions Answers, Page 3

Question list
Search

Question 21

Report
Export
Collapse

How can native authentication be disabled in Splunk?

Remove the $SPLUNK_HOME/etc/passwd file
Remove the $SPLUNK_HOME/etc/passwd file
Create an empty $SPLUNK_HOME/etc/passwd file
Create an empty $SPLUNK_HOME/etc/passwd file
Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf
Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf
Set nativeAuthentication=false in authentication.conf
Set nativeAuthentication=false in authentication.conf
Suggested answer: B

Explanation:

Reference:

https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Secureyouradminaccount

asked 23/09/2024
Simone Somacal
31 questions

Question 22

Report
Export
Collapse

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require multiple indexers. Following best practices, which types of Splunk component instances are needed?

Indexers, search head, universal forwarders, license master
Indexers, search head, universal forwarders, license master
Indexers, search head, deployment server, universal forwarders
Indexers, search head, deployment server, universal forwarders
Indexers, search head, deployment server, license master, universal forwarder
Indexers, search head, deployment server, license master, universal forwarder
Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder
Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder
Suggested answer: C

Explanation:

Indexers, search head, deployment server, license master, universal forwarder. This is the combination of Splunk component instances that are needed to handle the volume of data from collecting log files from 50 Linux servers and 200 Windows servers, following the best practices. The roles and functions of these components are:

Indexers: These are the Splunk instances that index the data and make it searchable. They also perform some data processing, such as timestamp extraction, line breaking, and field extraction.

Multiple indexers can be clustered together to provide high availability, data replication, and load balancing.

Search head: This is the Splunk instance that coordinates the search across the indexers and merges the results from them. It also provides the user interface for searching, reporting, and dashboarding.

A search head can also be clustered with other search heads to provide high availability, scalability, and load balancing.

Deployment server: This is the Splunk instance that manages the configuration and app deployment for the universal forwarders. It allows the administrator to centrally control the inputs.conf, outputs.conf, and other configuration files for the forwarders, as well as distribute apps and updates to them.

License master: This is the Splunk instance that manages the licensing for the entire Splunk deployment. It tracks the license usage of all the Splunk instances and enforces the license limits and violations. It also allows the administrator to add, remove, or change licenses.

Universal forwarder: These are the lightweight Splunk instances that collect data from various sources and forward it to the indexers or other forwarders. They do not index or parse the data, but only perform minimal processing, such as compression and encryption. They are installed on the Linux and Windows servers that generate the log files.

asked 23/09/2024
Luis Alfonso Rodriguez Castro
35 questions

Question 23

Report
Export
Collapse

Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)

inputs.conf
inputs.conf
monitor.conf
monitor.conf
outputs.conf
outputs.conf
forwarder.conf
forwarder.conf
Suggested answer: A, C

Explanation:

https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Configuretheuniversalforwarder

--Key configuration files are: inputs.conf controls how the forwarder collects data. outputs.conf controls how the forwarder sends data to an indexer or other forwarder server.conf for connection and performance tuning deploymentclient.conf for connecting to a deployment server Reference: https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/ Configuretheuniversalforwarder

asked 23/09/2024
Edgar Santiago
47 questions

Question 24

Report
Export
Collapse

On the deployment server, administrators can map clients to server classes using client filters. Which of the following statements is accurate?

The blacklist takes precedence over the whitelist.
The blacklist takes precedence over the whitelist.
The whitelist takes precedence over the blacklist.
The whitelist takes precedence over the blacklist.
Wildcards are not supported in any client filters.
Wildcards are not supported in any client filters.
Machine type filters are applied before the whitelist and blacklist.
Machine type filters are applied before the whitelist and blacklist.
Suggested answer: A

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

Reference: https://community.splunk.com/t5/Getting-Data-In/Can-I-use-both-the-whitelist-ANDblacklist-forthesame/td-p/390910

asked 23/09/2024
Mark Arnold Santos
37 questions

Question 25

Report
Export
Collapse

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

props.conf
props.conf
inputs.conf
inputs.conf
outputs.conf
outputs.conf
collections.conf
collections.conf
Suggested answer: C

Explanation:

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Per the provided Splunk reference URL by @hwangho, scroll to section Forward search head data, subsection titled, 2. Configure the search head as a forwarder. "Create an outputs.conf file on the search head that configures the search head for load-balanced forwarding across the set of search peers (indexers)."

Reference: https://community.splunk.com/t5/Getting-Data-In/How-to-configure-search-head-toforwardinternal-data-to-the/td-p/111658

asked 23/09/2024
Alan Phillips
43 questions

Question 26

Report
Export
Collapse

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

Enable indexer acknowledgment.
Enable indexer acknowledgment.
Enable forwarder acknowledgment.
Enable forwarder acknowledgment.
splunk check-integrity -index <index name>
splunk check-integrity -index <index name>
index=_internal component=ACK | stats count by host
index=_internal component=ACK | stats count by host
Suggested answer: A

Explanation:

Per the provided Splunk reference URL

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

"While HEC has precautions in place to prevent data loss, it's impossible to completely prevent such an occurrence, especially in the event of a network failure or hardware crash. This is where indexer acknolwedgment comes in."

Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

asked 23/09/2024
Daniel Vong
42 questions

Question 27

Report
Export
Collapse

Which Splunk component performs indexing and responds to search requests from the search head?

Forwarder
Forwarder
Search peer
Search peer
License master
License master
Search head cluster
Search head cluster
Suggested answer: B

Explanation:

https://docs.splunk.com/Splexicon:Searchpeer

"A Splunk platform instance that responses to search requests from a search head. The term "Search peer" is usually synonymous with the indexer role in a distributed search topology..."

asked 23/09/2024
Charalambos Stavrou
34 questions

Question 28

Report
Export
Collapse

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

App Class
App Class
Client Class
Client Class
Server Class
Server Class
Forwarder Class
Forwarder Class
Suggested answer: C

Explanation:

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

asked 23/09/2024
Ibrahim SACCA
38 questions

Question 29

Report
Export
Collapse

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Splunk SPLK-1003 image Question 29 75337 09232024004541000000

Event example:

Splunk SPLK-1003 image Question 29 75337 09232024004541000000

MAX_TIMESTAMP_L0CKAHEAD = 5
MAX_TIMESTAMP_L0CKAHEAD = 5
MAX_TIMESTAMP_LOOKAHEAD - 10
MAX_TIMESTAMP_LOOKAHEAD - 10
MAX_TIMESTAMF_LOOKHEAD = 20
MAX_TIMESTAMF_LOOKHEAD = 20
MAX TIMESTAMP LOOKAHEAD - 30
MAX TIMESTAMP LOOKAHEAD - 30
Suggested answer: D

Explanation:

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

"Specify how far (how many characters) into an event Splunk software should look for a timestamp." since TIME_PREFIX = ^ and timestamp is from 0-29 position, so D=30 will pick up the WHOLE timestamp correctly.

asked 23/09/2024
Jose M Rivera Vega
38 questions

Question 30

Report
Export
Collapse

Which of the following are required when defining an index in indexes. conf? (select all that apply)

coldPath
coldPath
homePath
homePath
frozenPath
frozenPath
thawedPath
thawedPath
Suggested answer: A, B, D

Explanation:

homePath = $SPLUNK_DB/hatchdb/db

coldPath = $SPLUNK_DB/hatchdb/colddb

thawedPath = $SPLUNK_DB/hatchdb/thaweddb

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

asked 23/09/2024
Tamas Szekely
36 questions
Total 189 questions
Go to page: of 19