Summer Certification Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = getmirror

Home
Splunk
Splunk Enterprise Certified Admin
SPLK-1003
Splunk Enterprise Certified Admin Questions and Answers

Pass the Splunk Enterprise Certified Admin SPLK-1003 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam SPLK-1003 Premium Access

View all detail and faqs for the SPLK-1003 exam

Go to Exam

645 Students Passed

90% Average Score

98% Same Questions

Viewing page 2 out of 7 pages

Viewing questions 11-20 out of questions

Questions # 11:

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

Options:

License data

Metricsdata

Internal Splunk data

Internal Windows logs

Answer

Questions # 12:

Which file will be matched for the following monitor stanza in inputs. conf?

[monitor: ///var/log/*/bar/*. txt]

Options:

/var/log/host_460352847/temp/bar/file/csv/foo.txt

/var/log/host_460352847/bar/foo.txt

/var/log/host_460352847/bar/file/foo.txt

/var/ log/ host_460352847/temp/bar/file/foo.txt

Answer

Explanation

The correct answer is C. /var/log/host_460352847/bar/file/foo.txt.

The monitor stanza in inputs.conf is used to configure Splunk to monitor files and directories for new data. The monitor stanza has the following syntax1:

[monitor://<input path>]

The input path can be a file or a directory, and it can include wildcards (*) and regular expressions. The wildcards match any number of characters, including none, while the regular expressions match patterns of characters. The input path is case-sensitive and must be enclosed in double quotes if it contains spaces1.

In this case, the input path is /var/log//bar/.txt, which means Splunk will monitor any file with the .txt extension that is located in a subdirectory named bar under the /var/log directory. The subdirectory bar can be at any level under the /var/log directory, and the * wildcard will match any characters before or after the bar and .txt parts1.

Therefore, the file /var/log/host_460352847/bar/file/foo.txt will be matched by the monitor stanza, as it meets the criteria. The other files will not be matched, because:

A. /var/log/host_460352847/temp/bar/file/csv/foo.txt has a .csv extension, not a .txt extension.

B. /var/log/host_460352847/bar/foo.txt is not located in a subdirectory under the bar directory, but directly in the bar directory.

D. /var/log/host_460352847/temp/bar/file/foo.txt is located in a subdirectory named file under the bar directory, not directly in the bar directory.

Questions # 13:

When would the following command be used?

Options:

To verify' the integrity of a local index.

To verify the integrity of a SmartStore index.

To verify the integrity of a SmartStore bucket.

To verify the integrity of a local bucket.

Answer

Explanation

To verify the integrity of a local bucket. The command ./splunk check-integrity -bucketPath [bucket path] [-verbose] is used to verify the integrity of a local bucket by comparing the hashes stored in the l1Hashes and l2Hash files with the actual data in the bucket1. This command can help detect any tampering or corruption of the data.

Questions # 14:

Which of the following types of data count against the license daily quota?

Options:

Replicated data

splunkd logs

Summary index data

Windows internal logs

Answer

Explanation

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Distdeploylicenses#Clustered_deployments_and_licensing_issues

[Reference:https://community.splunk.com/t5/Deployment-Architecture/License-usage-in-Indexer-Cluster/m-p/493548, , , ]

Questions # 15:

What action is required to enable forwarder management in Splunk Web?

Options:

Navigate to Settings > Server Settings > General Settings, and set an App server port.

Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

Create a server class and map it to a client inSPLUNK_HOME/etc/system/local/serverclass.conf.

Place an app in theSPLUNK_HOME/etc/deployment-appsdirectory of the deployment server.

Answer

Explanation

[Reference:https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Forwardermanagementoverview, , https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver, "To activate deployment server, you must place at least one app into %SPLUNK_HOME%\etc\deployment-apps on the host you want to act as deployment server. In this case, the app is the "send to indexer" app you created earlier, and the host is the indexer you set up initially., , ]

Questions # 16:

Which of the following is a valid distributed search group?

Options:

[distributedSearch:Paris] default = false servers = server1, server2

[searchGroup:Paris] default = false servers = server1:8089, server2:8089

[searchGroup:Paris] default = false servers = server1:9997, server2:9997

[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Answer

Explanation

https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Distributedsearchgroups

Questions # 17:

Which Splunk configuration file is used to enable data integrity checking?

Options:

props.conf

global.conf

indexes.conf

data_integrity.conf

Answer

Explanation

https://docs.splunk.com/Documentation/Splunk/8.1.2/Security/Dataintegritycontrol#:~:text=When%20you%20enable%20data%20integrity%20control%2C%20Splunk%20Enterprise%20computes%20hashes,it%20to%20a%20l1Hashes%20file.

[Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Dataintegritycontrol, ]

Questions # 18:

How can native authentication be disabled in Splunk?

Options:

Remove the $SPLUNK_HOME/etc/passwd file

Create an empty $SPLUNK_HOME/etc/passwd file

Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf

Set nativeAuthentication=false in authentication.conf

Answer

Explanation

[Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Secureyouradminaccount, ]

Questions # 19:

There is a file with a vast amount of old data. Which of the following inputs.conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?

Options:

IgnoreOlderThan

allowList

monitor

followTail

Answer

Explanation

IgnoreOlderThan:This setting filters files for indexing based on their age. It does not prevent indexing of old data already in the file.

allowList:This setting allows specifying patterns to include files for monitoring, but it does not control indexing of pre-existing data.

monitor:This is the default method for monitoring files but does not address indexing pre-existing data.

followTail:This attribute, when set in inputs.conf, ensures that Splunk starts reading a file from the end (tail) and does not index existing old data. It is ideal for scenarios with large files where only new updates are relevant.

[References:, Splunk Docs: Monitor text files, Splunk Docs: Configure followTail in inputs.conf, , , ]

Questions # 20:

Which of the following is valid distribute search group?

Question # 20