Splunk splk-1003 practice test

Splunk Enterprise Certified Admin Exam

Last exam update: Dec 15 ,2024
Page 1 out of 9. Viewing questions 1-15 out of 138

Question 1

Which setting allows the configuration of Splunk to allow events to span over more than one line?

  • A. SHOULD_LINEMERGE = true
  • B. BREAK_ONLY_BEFORE_DATE = true
  • C. BREAK_ONLY_BEFORE = <REGEX pattern>
  • D. SHOULD_LINEMERGE = false
Answer:

C


Explanation:
Reference:
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Configureeventlinebreaking

User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
8179740030
5 months ago

answer A right

0
8179740030
5 months ago

efmklrngjnnedmln,.en

0

Question 2

What is the command to reset the fishbucket for one source?

  • A. rm -r ~/splunkforwarder/var/lib/splunk/fishbucket
  • B. splunk clean eventdata -index _thefishbucket
  • C. splunk cmd btprobe -d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file <source> --reset
  • D. splunk btool fishbucket reset <source>
Answer:

C


Explanation:
Reference:
https://community.splunk.com/t5/Getting-Data-In/How-can-I-trigger-the-re-indexing-of-
a-single-file/m-p/108568

User Votes:
A
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 3

In addition to single, non-clustered Splunk instances, what else can the deployment server push apps
to?

  • A. Universal forwarders
  • B. Splunk Cloud
  • C. Linux package managers
  • D. Windows using WMI
Answer:

A


Explanation:
Reference:
https://community.splunk.com/t5/Deployment-Architecture/Push-apps-from-
deployment-server-automatically-to-universal/m-p/328191

User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 4

All search-time field extractions should be specified on which Splunk component?

  • A. Deployment server
  • B. Universal forwarder
  • C. Indexer
  • D. Search head
Answer:

C


Explanation:
Reference:
https://github.com/packetiq/SplunkArchitect/blob/master/README/props.conf.spec

User Votes:
A
50%
B
50%
C
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 5

Which artifact is required in the request header when creating an HTTP event?

  • A. ackID
  • B. Token
  • C. Manifest
  • D. Host name
Answer:

B


Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/FormateventsforHTTPEventCollector

User Votes:
A
50%
B 1 votes
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 6

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

  • A. splunk btool server list --debug
  • B. splunk list forward-indexer
  • C. splunk list forward-server
  • D. splunk btool indexes list --debug
Answer:

C


Explanation:
Reference:
https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-configure-a-Splunk-
Forwarder-on-Linux/m-p/72078

User Votes:
A
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 7

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP
user?

  • A. Default app
  • B. LDAP group
  • C. Password
  • D. Username
Answer:

B


Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.2.3/Security/ConfigureLDAPwithSplunkWeb

User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 8

Which default Splunk role could be assigned to provide users with the following capabilities?
Create saved searches
Edit shared objects and alerts
Not allowed to create custom roles

  • A. admin
  • B. power
  • C. user
  • D. splunk-system-role
Answer:

B


Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Aboutusersandroles

User Votes:
A
50%
B 1 votes
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 9

Which of the following is a valid distributed search group?

  • A. [distributedSearch:Paris] default = false servers = server1, server2
  • B. [searchGroup:Paris] default = false servers = server1:8089, server2:8089
  • C. [searchGroup:Paris] default = false servers = server1:9997, server2:9997
  • D. [distributedSearch:Paris] default = false servers = server1:8089; server2:8089
Answer:

D


User Votes:
A
50%
B 1 votes
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

Which of the following types of data count against the license daily quota?

  • A. Replicated data
  • B. splunkd logs
  • C. Summary index data
  • D. Windows internal logs
Answer:

D


Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Distdeploylicenses#Clustered_deploy
ments_and_licensing_issues
Reference:
https://community.splunk.com/t5/Deployment-Architecture/License-usage-in-Indexer-
Cluster/m-p/493548

User Votes:
A
50%
B
50%
C
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

Which of the following applies only to Splunk index data integrity check?

  • A. Lookup table
  • B. Summary Index
  • C. Raw data in the index
  • D. Data model acceleration
Answer:

C


User Votes:
A
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

Consider the following stanza in inputs.conf:

What will the value of the source filed be for events generated by this scripts input?

  • A. /opt/splunk/ecc/apps/search/bin/liscer.sh
  • B. unknown
  • C. liscer
  • D. liscer.sh
Answer:

A


Explanation:
https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Inputsconf
-Scroll down to source = <string>
*Default: the input file path

User Votes:
A
50%
B
50%
C
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

What happens when the same username exists in Splunk as well as through LDAP?

  • A. Splunk user is automatically deleted from authentication.conf.
  • B. LDAP settings take precedence.
  • C. Splunk settings take precedence.
  • D. LDAP user is automatically deleted from authentication.conf
Answer:

C


Explanation:
Reference:
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/Security/Setupuserauthenticationw
ithLDAP
Splunk platform attempts native authentication first. If authentication fails outside of a local account
that doesn't exist, there is no attempt to use LDAP to log in. This is adapted from precedence of
Splunk authentication schema.

User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

Which Splunk forwarder has a built-in license?

  • A. Light forwarder
  • B. Heavy forwarder
  • C. Universal forwarder
  • D. Cloud forwarder
Answer:

C


Explanation:
Reference:
https://community.splunk.com/t5/Getting-Data-In/Do-we-need-a-license-for-Heavy-
forwarder/m-p/210451

User Votes:
A
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 15

Which of the following is an appropriate description of a deployment server in a non-cluster
environment?

  • A. Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.
  • B. Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.
  • C. Allows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.
  • D. Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.
Answer:

B


Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/StartSplunk
https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture
"A deployment client is a Splunk instance remotely configured by a deployment server".

User Votes:
A
50%
B 1 votes
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2