SPLK-1003 Practice Questions

In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?

Immediately after installation, what will a Universal Forwarder do first?

A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly...

The following stanza is active in indexes.conf: [cat_facts] maxHotSpanSecs = 3600 frozenTimePeriodInSecs = 2630000 maxTota1DataSizeMB = 650000 All other related indexes.conf settin...

Event processing occurs at which phase of the data pipeline?

Which Splunk component would one use to perform line breaking prior to indexing?

What is a role in Splunk? (select all that apply)

What is the name of the object that stores events inside of an index?

What will the following inputs. conf stanza do? [script://myscript . sh] Interval=0

Which of the following describes a Splunk deployment server?

What type of Splunk license is pre-selected in a brand new Splunk installation?

Given a forwarder with the following outputs.conf configuration: [tcpout : mypartner] Server = 145.188.183.184:9097 [tcpout : hfbank] server = inputsl . mysplunkhfs . corp : 9997 ,...

Syslog files are being monitored on a Heavy Forwarder. Where would the appropriate TRANSFORMS setting be deployed to reroute logs based on the event message?

Which Splunk component(s) would break a stream of syslog inputs into individual events? (select all that apply)

Which pathway represents where a network input in Splunk might be found?

A Universal Forwarder has the following active stanza in inputs . conf: [monitor: //var/log] disabled = O host = 460352847 An event from this input has a timestamp of 10:55. What t...

Search heads in a company's European offices need to be able to search data in their New York offices. They also need to restrict access to certain indexers. What should be configu...

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

Windows can prevent a Splunk forwarder from reading open files. If files need to be read while they are being written to, what type of input stanza needs to be created?

When should the Data Preview feature be used?

Which file will be matched for the following monitor stanza in inputs. conf?

Which setting in indexes.conf allows data retention to be controlled by time?

The universal forwarder has which capabilities when sending data? (select all that apply)

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

In which Splunk configuration is the SEDCMD used?

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

Which parent directory contains the configuration files in Splunk?

Which forwarder type can parse data prior to forwarding?

Which Splunk component consolidates the individual results and prepares reports in a distributed environment?

An admin oversees an environment with a 1000 GB / day license. The configuration file server.conf has strict_pool_quota=false set. The license is divided into the following three p...

What is the timespan for which a Splunk Enterprise Trial License is valid?

A has been explicitly set in inputs.conf. How can the be fine- sourcetype sourcetype tuned in props.conf during the Input phase?

The following stanzas in inputs.conf are currently being used by a deployment client: Which of the following statements is true of data that is received via this input?

Which of the following is an alternative method to manually editing the outputs.conf file on the forwarder to send data?

What command is used to configure a deployment client?

Which of the following is true about the Data Preview step in the Add Data workflow?

Which of these is not a valid way to get data into Splunk?

When configuring Distributed Search, which of the following stanzas will add search peers?

What is the correct order of index time precedence? (For each of the following, highest precedence is shown at the top and lowest precedence is shown at the bottom)

Which stanza value in defines index-time data masking? props.conf

Which of the following primary authentication methods is not supported with Splunk handling its paired multi-factor authentication method?

Which scenario is applicable given the stanzas in authentication.conf below?

There is a file with a vast amount of old data. Which of the following inputs. conf attributes would allow an admin to monitor the file for updates without indexing the pre-existin...

The Deployment Server is overwhelmed by forwarders checking in too frequently. To address this problem, the admin wants to have forwarders check in on an hourly basis. How would th...

The following stanzas in inputs. conf are currently being used by a deployment client: Which of the following statements is true of data that is received via this input?

Metadata settings are assigned when Splunk indexes event data. Which of the following is not a default metadata value? source A.

A Universal Forwarder has the following active stanza in inputs.conf: An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of index...

How would you configure your distsearch.conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_server_group=HOUSTON

A Universal Forwarder is monitoring a very active syslog stream and as a result is unable to switch between destinations. How would an admin safely remediate this issue?

Which of the following is a valid method to create a Splunk user?