Splunk Splunk Enterprise Certified Admin SPLK-1003 Questions & Answers

• Question 1:

  Which of the following applies only to Splunk index data integrity check?

  A. Lookup table

  B. Summary Index

  C. Raw data in the index

  D. Data model acceleration

  Correct Answer: C

• Question 2:

  Which Splunk component(s) would break a stream of syslog inputs into individual events? (select all that apply)

  A. Universal Forwarder

  B. Search head

  C. Heavy Forwarder

  D. Indexer

  Correct Answer: CD

  The correct answer is C and D. A heavy forwarder and an indexer are the Splunk components that can break a stream of syslog inputs into individual events. A universal forwarder is a lightweight agent that can forward data to a Splunk deployment, but it does not perform any parsing or indexing on the data. A search head is a Splunk component that handles search requests and distributes them to indexers, but it does not process incoming data. A heavy forwarder is a Splunk component that can perform parsing, filtering, routing, and aggregation on the data before forwarding it to indexers or other destinations.A heavy forwarder can break a stream of syslog inputs into individual events based on the line breaker and should linemerge settings in the inputs.conf file1. An indexer is a Splunk component that stores and indexes data, making it searchable.An indexer can also break a stream of syslog inputs into individual events based on the props.conf file settings, such as TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD, and line_breaker2.

  A Splunk component is a software process that performs a specific function in a Splunk deployment, such as data collection, data processing, data storage, data search, or data visualization. Syslog is a standard protocol for logging messages from network devices, such as routers, switches, firewalls, or servers. Syslog messages are typically sent over UDP or TCP to a central syslog server or a Splunk instance. Breaking a stream of syslog inputs into individual events means separating the data into discrete records that can be indexed and searched by Splunk. Each event should have a timestamp, a host, a source, and a sourcetype, which are the default fields that Splunk assigns to the data. References:

  1: Configure inputs using Splunk Connect for Syslog - Splunk Documentation

  2: inputs.conf - Splunk Documentation

  3: How to configure props.conf for proper line breaking ... - Splunk Community

  4: Reliable syslog/tcp input ?splunk bundle style | Splunk

  5: Configure inputs using Splunk Connect for Syslog - Splunk Documentation

  6: About configuration files - Splunk Documentation [7]: Configure your OSSEC server to send data to the Splunk Add-on for OSSEC - Splunk Documentation [8]: Splunk components - Splunk Documentation [9]: Syslog - Wikipedia [10]: About default fields - Splunk Documentation

• Question 3:

  When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

  A. Nothing changes.

  B. The peer-apps local directory becomes the highest priority.

  C. The app local directories move to second in the priority list.

  D. The system default directory' becomes the highest priority.

  Correct Answer: C

  The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

  In a clustered environment, the precedence of configuration files changes slightly from that of a standalone deployment. The app local directories move to second in the priority list, after the peer-apps local directory. This means that any

  configuration files in the app local directories on the individual peers are overridden by configuration files of the same name and type in the peer-apps local directory on the master node.

• Question 4:

  A user recently installed an application to index NCINX access logs. After configuring the application, they realize that no data is being ingested. Which configuration file do they need to edit to ingest the access logs to ensure it remains unaffected after upgrade?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: A

  This option corresponds to the file path "$SPLUNK_HOME/etc/apps/splunk_TA_nginx/local/inputs.conf". This is the configuration file that the user needs to edit to ingest the NGINX access logs to ensure it remains unaffected after upgrade.

  This is explained in the Splunk documentation, which states:

  The local directory is where you place your customized configuration files. The local directory is empty when you install Splunk Enterprise. You create it when you need to override or add to the default settings in a configuration file. The local

  directory is never overwritten during an upgrade.

• Question 5:

  You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list --debug. What will the output be?

  A. list of all the configurations on-disk that Splunk contains.

  B. A verbose list of all configurations as they were when splunkd started.

  C. A list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

  D. A list of the current running props, conf configurations along with a file path from which the configuration was made

  Correct Answer: C

  https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroublesh ootconfigurations "The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings." "The report does not necessarily represent what's loaded in memory. If a conf file change is made that requires a service restart, the btool report shows the change even though that change isn't active."

• Question 6:

  Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

  A. LDAP

  B. SAML

  C. RADIUS

  D. Duo Multifactor Authentication

  Correct Answer: ABC

  Reference:https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Setupuserauthent icationwithSplunk

  Splunk authentication: Provides Admin, Power and User by default, and you can define your own roles using a list of capabilities. If you have an Enterprise license, Splunk authentication is enabled by default. See Set up user authentication with Splunk's built-in system for more information. LDAP: Splunk Enterprise supports authentication with its internal authentication services or your existing LDAP server. See Set up user authentication with LDAP for more information. Scripted authentication API: Use scripted authentication to integrate Splunk authentication with an external authentication system, such as RADIUS or PAM. See Set up user authentication with external systems for more information. Note: Authentication, including native authentication, LDAP, and scripted authentication, is not available in Splunk Free.

• Question 7:

  How can native authentication be disabled in Splunk?

  A. Remove the $SPLUNK_HOME/etc/passwd file

  B. Create an empty $SPLUNK_HOME/etc/passwd file

  C. Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf

  D. Set nativeAuthentication=false in authentication.conf

  Correct Answer: B

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Secureyouradminaccount

• Question 8:

  After how many warnings within a rolling 30-day period will a license violation occur with an enforced Enterprise license?

  A. 1

  B. 3

  C. 4

  D. 5

  Correct Answer: D

  https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations "Enterprise Trial license. If you get five or more warnings in a rolling 30 days period, you are in violation of your license. Dev/Test license. If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. Developer license. If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. BUT for Free license. If you get three or more warnings in a rolling 30 days period, you are in violation of your license."

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

• Question 9:

  When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

  A. Default app

  B. LDAP group

  C. Password

  D. Username

  Correct Answer: A

  When Splunk is integrated with LDAP, most of the user attributes are managed by the LDAP server and cannot be changed in the Splunk UI. However, one exception is the default app attribute, which specifies which app a user sees when they log in to Splunk. This attribute can be changed in the Splunk UI by editing the user settings. Therefore, option A is the correct answer. References: Splunk Enterprise Certified Admin | Splunk, [Configure Splunk to use LDAP and map groups - Splunk Documentation]

• Question 10:

  When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

  A. Enable indexer acknowledgment.

  B. Enable forwarder acknowledgment.

  C. splunk check-integrity -index

  D. index=_internal component=ACK | stats count by host

  Correct Answer: A

  Per the provided Splunk reference URL https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

  "While HEC has precautions in place to prevent data loss, it's impossible to completely prevent such an occurrence, especially in the event of a network failure or hardware crash. This is where indexer acknolwedgment comes in."

  Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck