Splunk Splunk Certifications SPLK-1003 Questions & Answers

• Question 101:

  Which of the following statements apply to directory inputs? {select all that apply)

  A. All discovered text files are consumed.

  B. Compressed files are ignored by default

  C. Splunk recursively traverses through the directory structure.

  D. When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

  Correct Answer: AC

• Question 102:

  Where can scripts for scripted inputs reside on the host file system? (select all that apply)

  A. $SFLUNK_HOME/bin/scripts

  B. $SPLUNK_HOME/etc/apps/bin

  C. $SPLUNK_HOME/etc/system/bin

  D. $S?LUNK_HOME/etc/apps//bin_

  Correct Answer: ACD

  "Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system: $SPLUNK_HOME/etc/system/bin $SPLUNK_HOME/etc/apps//bin $SPLUNK_HOME/bin/scripts As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system."

• Question 103:

  Within props. conf, which stanzas are valid for data modification? (select all that apply)

  A. Host

  B. Server

  C. Source

  D. Sourcetype

  Correct Answer: ACD

  https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf "* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts."https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

• Question 104:

  What are the minimum required settings when creating a network input in Splunk?

  A. Protocol, port number

  B. Protocol, port, location

  C. Protocol, username, port

  D. Protocol, IP. port number

  Correct Answer: A

  https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf

  [tcp://:]

  *Configures the input to listen on a specific TCP network port. *If a makes a connection to this instance, the input uses this stanza to configure itself.

  *If you do not specify , this stanza matches all connections on the specified port.

  *Generates events with source set to "tcp:", for example: tcp:514 *If you do not specify a sourcetype, generates events with sourcetype set to "tcp-raw"

• Question 105:

  Which of the methods listed below supports muti-factor authentication?

  A. Lightweight Directory Access Protocol (LDAP)

  B. Security Assertion Markup Language (SAML)

  C. Single Sign-on (SSO)

  D. OpenlD

  Correct Answer: B

  SAML is an open standard for exchanging authentication and authorization data between parties, especially between an identity provider and a service provider1. SAML supports multi-factor authentication by allowing the identity provider to require the user to present two or more factors of evidence to prove their identity2. For example, the user may need to enter a password and a one-time code sent to their phone, or scan their fingerprint and face.

• Question 106:

  An organization wants to collect Windows performance data from a set of clients, however, installing Splunk software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

  A. Use Local Windows host monitoring.

  B. Use Windows Remote Inputs with WMI.

  C. Use Local Windows network monitoring.

  D. Use an index with an Index Data Type of Metrics.

  Correct Answer: B

  "The Splunk platform collects remote Windows data for indexing in one of two ways: From Splunk forwarders, Using Windows Management Instrumentation (WMI). For Splunk Cloud deployments, you must use the Splunk Universal Forwarder on a Windows machines to montior remote Windows data."

• Question 107:

  User role inheritance allows what to be inherited from the parent role? (select all that apply)

  A. Parents

  B. Capabilities

  C. Index access

  D. Search history

  Correct Answer: BC

  https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_i nheritance https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

• Question 108:

  A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

  A. followTail = -45d

  B. ignore = 45d

  C. includeNewerThan = -35d

  D. ignoreOlderThan = 45d

  Correct Answer: D

  Reference:https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Configuretimestampr ecognition

• Question 109:

  Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

  A. Universal forwarder

  B. Parsing forwarder

  C. Heavy forwarder

  D. Advanced forwarder

  Correct Answer: C

• Question 110:

  How often does Splunk recheck the LDAP server?

  A. Every 5 minutes

  B. Each time a user logs in

  C. Each time Splunk is restarted

  D. Varies based on LDAP_refresh setting.

  Correct Answer: B

  https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswith LDAP