Splunk SPLK-1003 Splunk Enterprise Certified Admin Exam Practice Test

Page: 1 / 14
Total 182 questions
Question 1

When should the Data Preview feature be used?



Answer : D

The Data Preview feature should be used when validating the parsing of data. The Data Preview feature allows you to preview how Splunk software will index your data before you commit the data to an index. You can use the Data Preview feature to check the following aspects of data parsing1:

Timestamp recognition: You can verify that Splunk software correctly identifies the timestamps of your events and assigns them to the _time field.

Event breaking: You can verify that Splunk software correctly breaks your data stream into individual events based on the line breaker and should linemerge settings.

Source type assignment: You can verify that Splunk software correctly assigns a source type to your data based on the props.conf file settings. You can also manually override the source type if needed.

Field extraction: You can verify that Splunk software correctly extracts fields from your events based on the transforms.conf file settings. You can also use the Interactive Field Extractor (IFX) to create custom field extractions.

The Data Preview feature is available in Splunk Web under Settings > Data inputs > Data preview. You can access the Data Preview feature when you add a new input or edit an existing input1.

The other options are incorrect because:

A) When extracting fields for ingested data. The Data Preview feature can be used to verify the field extraction for data that has not been ingested yet, but not for data that has already been indexed. To extract fields from ingested data, you can use the IFX or the rex command in the Search app2.

B) When previewing the data before searching. The Data Preview feature does not allow you to search the data, but only to view how it will be indexed. To preview the data before searching, you can use the Search app and specify a time range or a sample ratio.

C) When reviewing data on the source host. The Data Preview feature does not access the data on the source host, but only the data that has been uploaded or monitored by Splunk software. To review data on the source host, you can use the Splunk Universal Forwarder or the Splunk Add-on for Unix and Linux.


Question 2

The following stanza is active in indexes.conf:

[cat_facts]

maxHotSpanSecs = 3600

frozenTimePeriodInSecs = 2630000

maxTota1DataSizeMB = 650000

All other related indexes.conf settings are default values.

If the event timestamp was 3739283 seconds ago, will it be searchable?



Answer : D

The correct answer is D. No, because the event time is greater than the retention time.

According to the Splunk documentation1, the frozenTimePeriodInSecs setting in indexes.conf determines how long Splunk software retains indexed data before deleting it or archiving it to a remote storage. The default value is 188697600 seconds, which is equivalent to six years. The setting can be overridden on a per-index basis.

In this case, the cat_facts index has a frozenTimePeriodInSecs setting of 2630000 seconds, which is equivalent to about 30 days. This means that any event that is older than 30 days from the current time will be removed from the index and will not be searchable.

The event timestamp was 3739283 seconds ago, which is equivalent to about 43 days. This means that the event is older than the retention time of the cat_facts index and will not be searchable.

The other settings in the stanza, such as maxHotSpanSecs and maxTota1DataSizeMB, do not affect the retention time of the events. They only affect the size and duration of the buckets that store the events.


Question 3

A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly to the indexer. Both sets of data require the masking of raw text strings before being written to disk. What does the administrator need to do to

ensure that the masking takes place successfully?



Answer : D

The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

According to the Splunk documentation1, to mask sensitive data from raw events, you need to use the SEDCMD attribute in the props.conf file and the REGEX attribute in the transforms.conf file. The SEDCMD attribute applies a sed expression to the raw data before indexing, while the REGEX attribute defines a regular expression to match the data to be masked. You need to place these files on the Splunk instance that parses the data, which is usually the indexer or the heavy forwarder2. The universal forwarder does not parse the data, so it does not need these files.

For source A, the data is routed through a heavy forwarder, which can parse the data before sending it to the indexer. Therefore, you need to place both props.conf and transforms.conf on the heavy forwarder for source A, so that the masking takes place before indexing.

For source B, the data is routed directly to the indexer, which parses and indexes the data. Therefore, you need to place both props.conf and transforms.conf on the indexer for source B, so that the masking takes place before indexing.


Question 4
Question 5
Question 6

In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?



Answer : A

This is the endpoint URI used to collect data using the HTTP Event Collector (HEC), which is a token-based API that allows you to send data to Splunk Enterprise from any application that can make an HTTP request. The endpoint URI consists of the protocol (http or https), the hostname or IP address of the Splunk server, the port number (default is 8088), and the service name (services/collector). For example:

https://mysplunkserver.example.com:8088/services/collector


Question 7

A user recently installed an application to index NCINX access logs. After configuring the application, they realize that no data is being ingested. Which configuration file do they need to edit to ingest the access logs to ensure it remains unaffected after upgrade?



Answer : A

This option corresponds to the file path ''$SPLUNK_HOME/etc/apps/splunk_TA_nginx/local/inputs.conf''. This is the configuration file that the user needs to edit to ingest the NGINX access logs to ensure it remains unaffected after upgrade. This is explained in the Splunk documentation, which states:

The local directory is where you place your customized configuration files. The local directory is empty when you install Splunk Enterprise. You create it when you need to override or add to the default settings in a configuration file. The local directory is never overwritten during an upgrade.


Page:    1 / 14   
Total 182 questions