Summer Certification Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code = getmirror

Home
Splunk
Splunk Enterprise Certified Admin
SPLK-1003
Splunk Enterprise Certified Admin Questions and Answers

Pass the Splunk Enterprise Certified Admin SPLK-1003 Questions and answers with ExamsMirror

Practice at least 50% of the questions to maximize your chances of passing.

Exam SPLK-1003 Premium Access

View all detail and faqs for the SPLK-1003 exam

Go to Exam

645 Students Passed

90% Average Score

98% Same Questions

Viewing page 6 out of 7 pages

Viewing questions 51-60 out of questions

Questions # 51:

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

Options:

_license

_lnternal

_external

_thefishbucket

Answer

B, D

Explanation

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Questions # 52:

In which phase do indexed extractions in props.conf occur?

Options:

Inputs phase

Parsing phase

Indexing phase

Searching phase

Answer

Explanation

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

[Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/, Configurationparametersandthedatapipeline, ]

Questions # 53:

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

Options:

REGEX, DEST. FORMAT

REGEX.SRC_KEY, FORMAT

REGEX, DEST_KEY, FORMAT

REGEX, DEST_KEY FORMATTING

Answer

Explanation

REGEX =

* Enter a regular expression to operate on your data.

FORMAT =

* NOTE: This option is valid for both index-time and search-time field extraction. Index-time field extraction configuration require the FORMAT settings. The FORMAT settings is optional for search-time field extraction configurations.

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY =

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

Questions # 54:

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

Options:

Duo Administrator

LDAP Administrator

SAML Administrator

Trio Administrator

Answer

Explanation

[Reference: https://duo.com/docs/splunk, ]

Questions # 55:

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

Options:

Map Users

Map Groups

Map LDAP Inheritance

Map LDAP to Active Directory

Answer

Explanation

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb

"You can map either users or groups, but not both. If you are using groups, all users must be members of an appropriate group. Groups inherit capabilities form the highest level role they're a member of." "If your LDAP environment does not have group entries, you can treat each user as its own group."

[Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/ConfigureLDAPwithSplunkWeb, ]

Questions # 56:

Which forwarder is recommended by Splunk to use in a production environment?

Options:

Heavy forwarder

SSL forwarder

Lightweight forwarder

Universal forwarder

Answer

Explanation

[Reference:https://community.splunk.com/t5/Getting-Data-In/Splunk-forwarder/m-p/18009, The forwarder that is recommended by Splunk to use in a production environment is the universal forwarder. The universal forwarder is a lightweight Splunk agent that forwards data to indexers or other forwarders. The universal forwarder has a small footprint and consumes minimal system resources. It also supports secure and reliable data forwarding with encryption and acknowledgement features. Therefore, option D is the correct answer. References: Splunk Enterprise Certified Admin | Splunk, [About forwarding and receiving data - Splunk Documentation], , , ]

Questions # 57:

In addition to single, non-clustered Splunk instances, what else can the deployment server push apps to?

Options:

Universal forwarders

Splunk Cloud

Linux package managers

Windows using WMI

Answer

Explanation

[Reference:https://community.splunk.com/t5/Deployment-Architecture/Push-apps-from-deployment-server-automatically-to-universal/m-p/328191, The deployment server is a Splunk component that distributes apps and other configurations to deployment clients, which are Splunk instances that receive updates from the deployment server. The deployment server can push apps to single, non-clustered Splunk instances, as well as universal forwarders, which are lightweight Splunk agents that forward data to indexers. Therefore, option A is the correct answer. References: Splunk Enterprise Certified Admin | Splunk, [About deployment server and forwarder management - Splunk Documentation], , , ]

Questions # 58:

What are the values forhostandindexfor[stanza1]used by Splunk during index time, given the following configuration files?

Question # 58

Options:

host=server1index=unixinfo

host=server1index=searchinfo

host=searchsvr1index=searchinfo

host=unixsvr1index=unixinfo

Answer

Explanation

- etc/system/local/ has better precedence at index time - for identical settings in the same file, the last one overwrite others, see :https://community.splunk.com/t5/Getting-Data-In/What-is-the-precedence-for-identical-stanzas-within-a-single/m-p/283566

Questions # 59:

What happens when the same username exists in Splunk as well as through LDAP?

Options:

Splunk user is automatically deleted from authentication.conf.

LDAP settings take precedence.

Splunk settings take precedence.

LDAP user is automatically deleted from authentication.conf

Answer

Explanation

[Reference:https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/Security/SetupuserauthenticationwithLDAP, , Splunk platform attempts native authentication first. If authentication fails outside of a local account that doesn't exist, there is no attempt to use LDAP to log in. This is adapted from precedence of Splunk authentication schema., , , ]

Questions # 60:

What action is required to enable forwarder management in Splunk Web?

Options:

Navigate to Settings > Server Settings > General Settings, and set an App server port.

Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

Create a server class and map it to a client inSPLUNK_HOME/etc/system/local/serverclass.conf.

Place an app in theSPLUNK_HOME/etc/deployment-appsdirectory of the deployment server.

Answer

Explanation

[Reference:https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Forwardermanagementoverview, , https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver, "To activate deployment server, you must place at least one app into %SPLUNK_HOME%\etc\deployment-apps on the host you want to act as deployment server. In this case, the app is the "send to indexer" app you created earlier, and the host is the indexer you set up initially., , , ]

Viewing page 6 out of 7 pages

Viewing questions 51-60 out of questions