Splunk SPLK-1003 Splunk Enterprise Certified Admin Exam Practice Test

Page: 1 / 14
Total 196 questions
Question 1

Which of the following applies only to Splunk index data integrity check?



Answer : C


Question 2

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?



Answer : C

Indexers, search head, deployment server, license master, universal forwarder. This is the combination of Splunk component instances that are needed to handle the volume of data from collecting log files from 50 Linux servers and 200 Windows servers, following the best practices. The roles and functions of these components are:

Indexers: These are the Splunk instances that index the data and make it searchable. They also perform some data processing, such as timestamp extraction, line breaking, and field extraction. Multiple indexers can be clustered together to provide high availability, data replication, and load balancing.

Search head: This is the Splunk instance that coordinates the search across the indexers and merges the results from them. It also provides the user interface for searching, reporting, and dashboarding. A search head can also be clustered with other search heads to provide high availability, scalability, and load balancing.

Deployment server: This is the Splunk instance that manages the configuration and app deployment for the universal forwarders. It allows the administrator to centrally control the inputs.conf, outputs.conf, and other configuration files for the forwarders, as well as distribute apps and updates to them.

License master: This is the Splunk instance that manages the licensing for the entire Splunk deployment. It tracks the license usage of all the Splunk instances and enforces the license limits and violations. It also allows the administrator to add, remove, or change licenses.

Universal forwarder: These are the lightweight Splunk instances that collect data from various sources and forward it to the indexers or other forwarders. They do not index or parse the data, but only perform minimal processing, such as compression and encryption. They are installed on the Linux and Windows servers that generate the log files.


Question 3

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?



Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Per the provided Splunk reference URL by @hwangho, scroll to section Forward search head data, subsection titled, 2. Configure the search head as a forwarder. 'Create an outputs.conf file on the search head that configures the search head for load-balanced forwarding across the set of search peers (indexers).'


Question 4

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)



Answer : C, D


Question 5

When indexing a data source, which fields are considered metadata?



Answer : D


Question 6

Which of the following enables compression for universal forwarders in outputs. conf ?

A)

B)

C)

D)



Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

# Compression

#

# This example sends compressed events to the remote indexer.

# NOTE: Compression can be enabled TCP or SSL outputs only.

# The receiver input port should also have compression enabled.

[tcpout]

server = splunkServer.example.com:4433

compressed = true


Question 7

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?



Answer : A


Page:    1 / 14   
Total 196 questions