March Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: scxmas70

SPLK-1003 Exam Dumps - Splunk Enterprise Certified Admin Exam

Question # 4

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A.

_TCP_ROUTING

B.

_INDEXER_LIST

C.

_INDEXER_GROUP

D.

_INDEXER ROUTING

Full Access
Question # 5

Which of the following types of data count against the license daily quota?

A.

Replicated data

B.

splunkd logs

C.

Summary index data

D.

Windows internal logs

Full Access
Question # 6

In inputs. conf, which stanza would mean Splunk was only reading one local file?

A.

[read://opt/log/crashlog/Jan27crash.txt]

B.

[monitor::/ opt/log/crashlog/Jan27crash.txt]

C.

[monitor:/// opt/log/]

D.

[monitor:/// opt/log/ crashlog/Jan27crash.txt]

Full Access
Question # 7

Search heads in a company's European offices need to be able to search data in their New York offices. They also need to restrict access to certain indexers. What should be configured to allow this type of action?

A.

Indexer clustering

B.

LDAP control

C.

Distributed search

D.

Search head clustering

Full Access
Question # 8

User role inheritance allows what to be inherited from the parent role? (select all that apply)

A.

Parents

B.

Capabilities

C.

Index access

D.

Search history

Full Access
Question # 9

Which of the following statements describes how distributed search works?

A.

Forwarders pull data from the search peers.

B.

Search heads store a portion of the searchable data.

C.

The search head dispatches searches to the search peers.

D.

Search results are replicated within the indexer cluster.

Full Access
Question # 10

A security team needs to ingest a static file for a specific incident. The log file has not been collected previously and future updates to the file must not be indexed.

Which command would meet these needs?

A.

splunk add one shot / opt/ incident [data .log —index incident

B.

splunk edit monitor /opt/incident/data.* —index incident

C.

splunk add monitor /opt/incident/data.log —index incident

D.

splunk edit oneshot [opt/ incident/data.* —index incident

Full Access
Question # 11

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

A.

bucketdb

B.

frozendb

C.

colddb

D.

db

Full Access
Question # 12

Which of the following apply to how distributed search works? (select all that apply)

A.

The search head dispatches searches to the peers

B.

The search peers pull the data from the forwarders.

C.

Peers run searches in parallel and return their portion of results.

D.

The search head consolidates the individual results and prepares reports

Full Access
Question # 13

To set up a Network input in Splunk, what needs to be specified'?

A.

File path.

B.

Username and password

C.

Network protocol and port number.

D.

Network protocol and MAC address.

Full Access
Question # 14

Which Splunk component(s) would break a stream of syslog inputs into individual events? (select all that apply)

A.

Universal Forwarder

B.

Search head

C.

Heavy Forwarder

D.

Indexer

Full Access
Question # 15

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

A.

A token-based HTTP input that is secure and scalable and that requires the use of forwarders

B.

A token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

C.

An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

D.

A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Full Access
Question # 16

Which of the following is valid distribute search group?

A)

B)

C)

D)

A.

option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 17

Which of the following is a benefit of distributed search?

A.

Peers run search in sequence.

B.

Peers run search in parallel.

C.

Resilience from indexer failure.

D.

Resilience from search head failure.

Full Access
Question # 18

When using license pools, volume allocations apply to which Splunk components?

A.

Indexers

B.

Indexes

C.

Heavy Forwarders

D.

Search Heads

Full Access
Question # 19

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

A.

Enable indexer acknowledgment.

B.

Enable forwarder acknowledgment.

C.

splunk check-integrity -index

D.

index=_internal component=ACK | stats count by host

Full Access
Question # 20

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

A.

Map Users

B.

Map Groups

C.

Map LDAP Inheritance

D.

Map LDAP to Active Directory

Full Access
Question # 21

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

A.

Disk

B.

CPUs

C.

Memory

D.

Network interface cards

Full Access
Question # 22

Where are deployment server apps mapped to clients?

A.

Apps tab in forwarder management interface or clientapps.conf.

B.

Clients tab in forwarder management interface or deploymentclient.conf.

C.

Server Classes tab in forwarder management interface or serverclass.conf.

D.

Client Applications tab in forwarder management interface or clientapps.conf.

Full Access
Question # 23

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

A.

diskQueueSize

B.

durableQueueSize

C persistentOueueSize

C.

queueSize

Full Access
Question # 24

How do you remove missing forwarders from the Monitoring Console?

A.

By restarting Splunk.

B.

By rescanning active forwarders.

C.

By reloading the deployment server.

D.

By rebuilding the forwarder asset table.

Full Access
Question # 25

Which of the methods listed below supports muti-factor authentication?

A.

Lightweight Directory Access Protocol (LDAP)

B.

Security Assertion Markup Language (SAML)

C.

Single Sign-on (SSO)

D.

OpenlD

Full Access
Question # 26

Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)

A.

inputs.conf

B.

monitor.conf

C.

outputs.conf

D.

forwarder.conf

Full Access
Question # 27

Load balancing on a Universal Forwarder is not scaling correctly. The forwarder's outputs. and the tcpout stanza are setup correctly. What else could be the cause of this scaling issue? (select all that apply)

A.

The receiving port is not properly setup to listen on the right port.

B.

The inputs . conf'S _SYSZOG_ROVTING is not setup to use the right group names.

C.

The DNS record used is not setup with a valid list of IP addresses.

D.

The indexAndForward value is not set properly.

Full Access
Question # 28

Event processing occurs at which phase of the data pipeline?

A.

Search

B.

Indexing

C.

Parsing

D.

Input

Full Access
Question # 29

What will the following inputs. conf stanza do?

[script://myscript . sh]

Interval=0

A.

The script will run at the default interval of 60 seconds.

B.

The script will not be run.

C.

The script will be run only once for each time Splunk is restarted.

D.

The script will be run. As soon as the script exits, Splunk restarts it.

Full Access
Question # 30

What event-processing pipelines are used to process data for indexing? (select all that apply)

A.

Typing pipeline

B.

Parsing pipeline

C.

fifo pipeline

D.

Indexing pipeline

Full Access
Question # 31

Which of the following is accurate regarding the input phase?

A.

Breaks data into events with timestamps.

B.

Applies event-level transformations.

C.

Fine-tunes metadata.

D.

Performs character encoding.

Full Access
Question # 32

Syslog files are being monitored on a Heavy Forwarder.

Where would the appropriate TRANSFORMS setting be deployed to reroute logs based on the event message?

A.

Heavy Forwarder

B.

Indexer

C.

Search head

D.

Deployment server

Full Access
Question # 33

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

A.

Slash notation

B.

Regular expression

C.

Irregular expression

D.

Wildcard-only expression

Full Access
Question # 34

A configuration file in a deployed app needs to be directly edited. Which steps would ensure a successful deployment to clients?

A.

Make the change in $SPLUNK HOME/etc/dep10yment apps/$appName/10ca1/ on the deployment server, and the change will be automatically sent to the deployment clients.

B.

Make the change in $SPLUNK HOME /etc/apps/$appname/local/ on any of the deployment clients, and then run the command . / splunk reload deploy-server to push that change to the deployment server.

C.

Make the change in $SPLUNK HOME/etc/dep10yment apps/$appName/10ca1/ on the deployment server, and then run $SPLUNK HOME/bin/sp1unk reload deploy—server.

D.

Make the change in $SPLUNK HOME/etc/apps/$appName/defau1t on the deployment server, and it will be distributed down to the clients' own local versions.

Full Access
Question # 35

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

A.

index=main

B.

index=test

C.

index=summary

D.

index=_internal

Full Access
Question # 36

Which of the following are required when defining an index in indexes. conf? (select all that apply)

A.

coldPath

B.

homePath

C.

frozenPath

D.

thawedPath

Full Access
Question # 37

Consider the following stanza ininputs.conf:

What will the value of the source filed be for events generated by this scripts input?

A.

/opt/splunk/ecc/apps/search/bin/liscer.sh

B.

unknown

C.

liscer

D.

liscer.sh

Full Access
Question # 38

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

A.

Indexers, search head, universal forwarders, license master

B.

Indexers, search head, deployment server, universal forwarders

C.

Indexers, search head, deployment server, license master, universal forwarder

D.

Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Full Access
Question # 39

In which phase of the index time process does the license metering occur?

A.

input phase

B.

Parsing phase

C.

Indexing phase

D.

Licensing phase

Full Access
Question # 40

Which of the following are reasons to create separate indexes? (Choose all that apply.)

A.

Different retention times.

B.

Increase number of users.

C.

Restrict user permissions.

D.

File organization.

Full Access
Question # 41

A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly to the indexer. Both sets of data require the masking of raw text strings before being written to disk. What does the administrator need to do to

ensure that the masking takes place successfully?

A.

Make sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

B.

For source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

C.

Make sure that props . conf and transforms . conf are both present on the Universal Forwarder.

D.

Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Full Access
Question # 42

What type of Splunk license is pre-selected in a brand new Splunk installation?

A.

Free license

B.

Forwarder license

C.

Enterprise trial license

D.

Enterprise license

Full Access
Question # 43

Which Splunk component would one use to perform line breaking prior to indexing?

A.

Heavy Forwarder

B.

Universal Forwarder

C.

Search head

D.

This can only be done at the indexing layer.

Full Access
Question # 44

The CLI command splunk add forward-server indexer: will create stanza(s) in

which configuration file?

A.

inputs.conf

B.

indexes.conf

C.

outputs.conf

D.

servers.conf

Full Access
Question # 45

Consider a company with a Splunk distributed environment in production. The Compliance Department wants to start using Splunk; however, they want to ensure that no one can see their reports or any other knowledge objects. Which Splunk Component can be added to implement this policy for the new team?

A.

Indexer

B.

Deployment server

C.

Universal forwarder

D.

Search head

Full Access
Question # 46

Within props. conf, which stanzas are valid for data modification? (select all that apply)

A.

Host

B.

Server

C.

Source

D.

Sourcetype

Full Access
Question # 47

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

A.

admin

B.

power

C.

user

D.

splunk-system-role

Full Access
Question # 48

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

A.

It does not encrypt the certificate password.

B.

SSL automatically compresses the feed by default.

C.

It requires that the forwarder be set to compressed=true.

D.

It requires that the receiver be set to compression=true.

Full Access
Question # 49

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

A.

LDAP

B.

SAML

C.

RADIUS

D.

Duo Multifactor Authentication

Full Access
Question # 50

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

A.

host

B.

index

C.

linecount

D.

splunk_server

Full Access
Question # 51

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

A.

CLI

B.

Edit inputs . conf

C.

Edit forwarder.conf

D.

Forwarder Management

Full Access
Question # 52

Which of the following enables compression for universal forwarders in outputs. conf ?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access