Splunk SPLK-1003 Exam Practice Test Instant Access

Question 1

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

ABlacklist

BWhitelist

CThey cancel each other out.

DWhichever is entered into the configuration first.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdata

'It is not necessary to define both an allow list and a deny list in a configuration stanza. The settings are independent. If you do define both filters and a file matches them both, Splunk Enterprise does not index that file, as the blacklist filter overrides the whitelist filter.' Source: https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Whitelistorblacklistspecificincomingdata

Question 2

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

ADefault app

BLDAP group

CPassword

DUsername

Answer : A

When Splunk is integrated with LDAP, most of the user attributes are managed by the LDAP server and cannot be changed in the Splunk UI. However, one exception is the default app attribute, which specifies which app a user sees when they log in to Splunk. This attribute can be changed in the Splunk UI by editing the user settings. Therefore, option A is the correct answer. References:Splunk Enterprise Certified Admin | Splunk, [Configure Splunk to use LDAP and map groups - Splunk Documentation]

Question 3

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

A_audit

B_checkpoint

C_introspection

D_thefishbucket

Answer : D

--reset Reset the fishbucket for the given key or file in the btree. Resetting the checkpoint for an active monitor input reindexes data, resulting in increased license use. https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/CommandlinetoolsforusewithSupport

Question 4

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 5

Running this search in a distributed environment:

On what Splunk component does the eval command get executed?

AHeavy Forwarders

BUniversal Forwarders

CSearch peers

DSearch heads

Answer : C

The eval command is a distributable streaming command, which means that it can run on the search peers in a distributed environment1.The search peers are the indexers that store the data and perform the initial steps of the search processing2.The eval command calculates an expression and puts the resulting value into a search results field1. In your search, you are using the eval command to create a new field called ''responsible_team'' based on the values in the ''account'' field.

Question 6

Within props. conf, which stanzas are valid for data modification? (select all that apply)

AHost

BServer

CSource

DSourcetype

Answer : A, C, D

https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf

'* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts.' https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

Question 7

Which of the following is valid distribute search group?

Aoption A

BOption B

COption C

DOption D

Answer : D

Splunk Enterprise Certified Admin SPLK-1003 Exam Practice Test