All About Approved SPLK-1003 Study Guide

NEW QUESTION 1
What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

• A. License data
• B. Metrics data
• C. Internal Splunk data
• D. Internal Windows logs

Answer: B

Explanation:
Reference: https://answers.splunk.com/answers/581441/how-is-the-splunk-license-measured.html

NEW QUESTION 2
How often does Splunk recheck the LDAP server?

• A. Every 5 minutes.
• B. Each time a user logs in.
• C. Each time Splunk is restarted.
• D. Varies based on LDAP_refresh setting.

Answer: D

Explanation:
Reference: http://docshare02.docshare.tips/files/22651/226514302.pdf

NEW QUESTION 3
What options are available when creating custom roles? (Select all that apply.)

• A. Restrict search terms.
• B. Whitelist search terms.
• C. Limit the number of concurrent search jobs.
• D. Allow or restrict indexes that can be searched.

Answer: AD

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/Aboutusersandroles

NEW QUESTION 4
For single line event sourcetypes, it is most efficient to set SHOULD_LINEMERGE
to what value?

• A. True
• B. False
• C. <regex string>
• D. Newline Character

Answer: B

Explanation:
Reference: https://answers.splunk.com/answers/704533/what-are-the-best-practices-for-defining-source-ty.html

NEW QUESTION 5
Which Splunk component requires a Forwarder license?

• A. Search head
• B. Heavy forwarder
• C. Heaviest forwarder
• D. Universal forwarder

Answer: B

Explanation:
Reference: https://answers.splunk.com/answers/70017/heavy-forwarder-costs-and-licenses.html

NEW QUESTION 6
Where are license files stored?

• A. $SPLUNK_HOME/etc/secure
• B. $SPLUNK_HOME/etc/system
• C. $SPLUNK_HOME/etc/licenses
• D. $SPLUNK_HOME/etc/apps/licenses

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/LicenserCLIcommands

NEW QUESTION 7
Which optional configuration setting in inputs.conf allows you to selectively forward the data to specific indexer(s)?

• A. _TCP_ROUTING
• B. _INDEXER_LIST
• C. _INDEXER_GROUP
• D. _INDEXER_ROUTING

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Monitorfilesanddirectorieswithinputs.conf

NEW QUESTION 8
What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events?

• A. REGEX, DEST, FORMAT
• B. REGEX, SRC_KEY, FORMAT
• C. REGEX, DEST_KEY, FORMAT
• D. REGEX, DEST_KEY, FORMATTING

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Transformsconf

NEW QUESTION 9
What is required when adding a native user to Splunk? (Select all that apply.)

• A. Password
• B. Username
• C. Full Name
• D. Default app

Answer: CD

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Addandeditusers

NEW QUESTION 10
Which of the following statements apply to directory inputs? (Select all that apply.)

• A. All discovered text files are consumed.
• B. Compressed files are ignored by default.
• C. Splunk recursively traverses through the directory structure.
• D. When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer: C

Explanation:
Reference: https://answers.splunk.com/answers/133875/recursive-monitoring-of -directories.html

NEW QUESTION 11
Which of the following apply to how distributed search works? (Select all that apply.)

• A. The search head dispatches searches to the peers.
• B. The search peers pull the data from the forwarders.
• C. Peers run searches in parallel and return their portion of results.
• D. The search head consolidates the individual results and prepares reports.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/Whatisdistributedsearch

NEW QUESTION 12
Which of the following indexes come pre-configured with Splunk Enterprise? (Select all that apply.)

• A. _licence
• B. _internal
• C. _external
• D. _thefishbucket

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Howindexingworks

NEW QUESTION 13
Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

• A. Deployer
• B. Cluster master
• C. Deployment server
• D. Search head cluster master

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/PropagateSHCconfigurationchanges

NEW QUESTION 14
This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf [monitor:///var/log/messages]
sourcetype=syslog
index=syslog
A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file:
/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
[monitor:///var/log/maillog] sourcetype=maillog index=syslog
Which file is now monitored?

• A. /var/log/messages
• B. /var/log/maillog
• C. /var/log/maillog and /var/log/messages
• D. none of the above

Answer: C

NEW QUESTION 15
Which of the following are methods for adding inputs in Splunk? (Select all that apply.)

• A. CLI
• B. Splunk Web
• C. Editing inpits.conf
• D. Editing monitor.conf

Answer: AB

Explanation:
Reference: http://dev.splunk.com/view/dev -guide/SP-CAAAE3A

NEW QUESTION 16
Where can scripts for scripted inputs reside on the host file system? (Select all that apply.)

• A. $SPLUNK_HOME/bin/scripts
• B. $SPLUNK_HOME/etc/apps/bin
• C. $SPLUNK_HOME/etc/system/bin
• D. $SPLUNK_HOME/etc/apps/<your_app>/bin

Answer: ACD

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Getdatafromscriptedinputs#Where_to_place_the_scripts_for_scripted_inputs

NEW QUESTION 17
User role inheritance allows what to be inherited from the parent role? (Select all that apply.)

• A. Parents
• B. Capabilities
• C. Index access
• D. Search history

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

NEW QUESTION 18
The universal forwarder has which capabilities when sending data? (Select all that apply.)

• A. Sending alerts
• B. Compressing data
• C. Obfuscating/hiding data
• D. Indexer acknowledgement

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Typesofforwarders

NEW QUESTION 19
What is the difference between the two wildcards ... and * for the monitor stanza in inputs.conf?

• A. ... is not supported in monitor stanzas.
• B. There is no difference, they are interchangeable and match anything beyond directory boundaries.
• C. * matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.
• D. ... matches anything in that specific directory path segment, whereas * recurses through subdirectories as well.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

NEW QUESTION 20
Which of the following authentication types requires scripting in Splunk?

• A. ADFS
• B. LDAP
• C. SAML
• D. RADIUS

Answer: D

Explanation:
Reference: https://answers.splunk.com/answers/131127/scripted-authentication.html

NEW QUESTION 21
To set up a network input in Splunk, what needs to be specified?

• A. File path.
• B. Username and password.
• C. Network protocol and port number.
• D. Network protocol and MAC address.

Answer: A

Explanation:
Reference: http://dev.splunk.com/view/dev -guide/SP-CAAAE3A

NEW QUESTION 22
......