Splunk Splunk Certifications SPLK-1003 Questions & Answers

• Question 121:

  If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component would the fishbucket need to be reset in order to reindex the data?

  A. Indexer

  B. Forwarder

  C. Search head

  D. Deployment server

  Correct Answer: A

  https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket- thing.html "Every Splunk instance has a fishbucket index, except the lightest of hand-tuned lightweight forwarders, and if you index a lot of files it can get quite large. As any other index, you can change the retention policy to control the size via indexes.conf"

  Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a- forwarder/td-p/93310

• Question 122:

  To set up a Network input in Splunk, what needs to be specified'?

  A. File path.

  B. Username and password

  C. Network protocol and port number.

  D. Network protocol and MAC address.

  Correct Answer: C

  https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitornetworkports

• Question 123:

  In which Splunk configuration is the SEDCMD used?

  A. props, conf

  B. inputs.conf

  C. indexes.conf

  D. transforms.conf

  Correct Answer: A

  https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

  "You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. "

• Question 124:

  Which of the following is valid distribute search group?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: D

• Question 125:

  Which of the following must be done to define user permissions when integrating Splunk with LDAP?

  A. Map Users

  B. Map Groups

  C. Map LDAP Inheritance

  D. Map LDAP to Active Directory

  Correct Answer: B

  https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb "You can map either users or groups, but not both. If you are using groups, all users must be members of an appropriate group. Groups inherit capabilities form the highest level role they're a member of." "If your LDAP environment does not have group entries, you can treat each user as its own group."

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/ConfigureLDAPwithSplunkWeb

• Question 126:

  When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

  A. Slash notation

  B. Regular expression

  C. Irregular expression

  D. Wildcard-only expression

  Correct Answer: B

  https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincom ingdata#Include_or_exclude_specific_incoming_data

• Question 127:

  What event-processing pipelines are used to process data for indexing? (select all that apply)

  A. fifo pipeline

  B. Indexing pipeline

  C. Parsing pipeline

  D. Typing pipeline

  Correct Answer: BC

  The indexing pipeline and the parsing pipeline are the two pipelines that are responsible for transforming the raw data into events and preparing them for indexing. The indexing pipeline applies index-time settings, such as timestamp extraction, line breaking, host extraction, and source type recognition. The parsing pipeline applies parsing settings, such as field extraction, event segmentation, and event annotation.

• Question 128:

  The universal forwarder has which capabilities when sending data? (select all that apply)

  A. Sending alerts

  B. Compressing data

  C. Obfuscating/hiding data

  D. Indexer acknowledgement

  Correct Answer: BD

  https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20 sends%20raw%20data.

• Question 129:

  What is the name of the object that stores events inside of an index?

  A. Container

  B. Bucket

  C. Data layer

  D. Indexer

  Correct Answer: B

  A bucket is the object that stores events inside of an index. According to the Splunk documentation, "An index is a collection of directories, also called buckets, that contain index files. Each bucket represents a specific time range." A bucket can be in one of several states, such as hot, warm, cold, frozen, or thawed. Buckets are managed by indexers or clusters of indexers.

• Question 130:

  Which of the following is a valid distributed search group?

  A. [distributedSearch:Paris] default = false servers = server1, server2

  B. [searchGroup:Paris] default = false servers = server1:8089, server2:8089

  C. [searchGroup:Paris] default = false servers = server1:9997, server2:9997

  D. [distributedSearch:Paris] default = false servers = server1:8089; server2:8089

  Correct Answer: D

  https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Distributedsearchgroups