Splunk SPLK-1003 Exam Practice Test Instant Access

Question 1

Within props. conf, which stanzas are valid for data modification? (select all that apply)

AHost

BServer

CSource

DSourcetype

Answer : A, C, D

https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf

'* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts.' https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

Question 2

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 3

Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of

users?

ALinked roles

BGrantable roles

CRole federation

DRole inheritance

Answer : D

You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

Question 4

Which additional component is required for a search head cluster?

ADeployer

BCluster Master

CMonitoring Console

DManagement Console

Answer : A

The deployer. This is a Splunk Enterprise instance that distributes apps and other configurations to the cluster members. It stands outside the cluster and cannot run on the same instance as a cluster member. It can, however, under some circumstances, reside on the same instance as other Splunk Enterprise components, such as a deployment server or an indexer cluster master node.

Question 5

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

Set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.This is explained in the Splunk documentation1, which states:

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 6

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

ATo ensure that hot buckets are still open for writes and have not been forced to roll to a cold state

BTo ensure that configuration files have not been tampered with for auditing and/or legal purposes

CTo ensure that user passwords have not been tampered with for auditing and/or legal purposes.

DTo ensure that data has not been tampered with for auditing and/or legal purposes

Answer : D

Question 7

Which file will be matched for the following monitor stanza in inputs. conf?

[monitor: ///var/log/*/bar/*. txt]

A/var/log/host_460352847/temp/bar/file/csv/foo.txt

B/var/log/host_460352847/bar/foo.txt

C/var/log/host_460352847/bar/file/foo.txt

D/var/ log/ host_460352847/temp/bar/file/foo.txt

Answer : C

The correct answer is C. /var/log/host_460352847/bar/file/foo.txt.

The monitor stanza in inputs.conf is used to configure Splunk to monitor files and directories for new data. The monitor stanza has the following syntax1:

[monitor://<input path>]

The input path can be a file or a directory, and it can include wildcards (*) and regular expressions. The wildcards match any number of characters, including none, while the regular expressions match patterns of characters. The input path is case-sensitive and must be enclosed in double quotes if it contains spaces1.

In this case, the input path is /var/log//bar/.txt, which means Splunk will monitor any file with the .txt extension that is located in a subdirectory named bar under the /var/log directory. The subdirectory bar can be at any level under the /var/log directory, and the * wildcard will match any characters before or after the bar and .txt parts1.

Therefore, the file /var/log/host_460352847/bar/file/foo.txt will be matched by the monitor stanza, as it meets the criteria. The other files will not be matched, because:

A . /var/log/host_460352847/temp/bar/file/csv/foo.txt has a .csv extension, not a .txt extension.

B . /var/log/host_460352847/bar/foo.txt is not located in a subdirectory under the bar directory, but directly in the bar directory.

D . /var/log/host_460352847/temp/bar/file/foo.txt is located in a subdirectory named file under the bar directory, not directly in the bar directory.

Splunk SPLK-1003 Splunk Enterprise Certified Admin Exam Practice Test