Splunk Splunk Certifications SPLK-1003 Questions & Answers

• Question 131:

  Which Splunk component does a search head primarily communicate with?

  A. Indexer

  B. Forwarder

  C. Cluster master

  D. Deployment server

  Correct Answer: A

• Question 132:

  What type of Splunk license is pre-selected in a brand new Splunk installation?

  A. Free license

  B. Forwarder license

  C. Enterprise trial license

  D. Enterprise license

  Correct Answer: C

  A Splunk Enterprise trial license gives you access to all the features of Splunk Enterprise for a limited period of time, usually 60 days1. After the trial period expires, you can either purchase a Splunk Enterprise license or switch to a Free license. A Splunk Enterprise Free license allows you to index up to 500 MB of data per day, but some features are disabled, such as authentication, distributed search, and alerting. You can switch to a Free license at any time during the trial period or after the trial period expires. A Splunk Enterprise Forwarder license is used with forwarders, which are Splunk instances that forward data to other Splunk instances. A Forwarder license does not allow indexing or searching of data. You can install a Forwarder license on any Splunk instance that you want to use as a forwarder. A Splunk Enterprise commercial end-user license is a license that you purchase from Splunk based on either data volume or infrastructure. This license gives you access to all the features of Splunk Enterprise within a defined limit of indexed data per day (volume-based license) or vCPU count (infrastructure license). You can purchase and install this license after the trial period expires or at any time during the trial period1.

• Question 133:

  How does the Monitoring Console monitor forwarders?

  A. By pulling internal logs from forwarders.

  B. By using the forwarder monitoring add-on

  C. With internal logs forwarded by forwarders.

  D. With internal logs forwarded by deployment server.

  Correct Answer: C

  Quoting the following Splunk URL reference https://docs.splunk.com/Documentation/Splunk/8.2.2/DMC/DMCprerequisites "Monitoring Console setup prerequisites. Forward internal logs (both $SPLUNK_HOME/car/log/splunk and$SPLUNK_HOME/var/log/introspection) to indexers from all other components. Without this step, many dashboards will lack data."

• Question 134:

  After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

  A. 90 days

  B. 60 days

  C. 7 days

  D. 14 days

  Correct Answer: B

  Reference:https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/MoreaboutSplunkFree

  https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

• Question 135:

  Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of users?

  A. Linked roles

  B. Grantable roles

  C. Role federation

  D. Role inheritance

  Correct Answer: D

  You can have a role inherit certain properties from one or more existing rolehttps://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

• Question 136:

  What is the default value ofLINE_BREAKER?

  A. \r\n

  B. ([\r\n]+)

  C. \r+\n+

  D. (\r\n+)

  Correct Answer: B

  Reference:https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/Data/Configuree ventlinebreaking

  Line breaking, which uses the LINE_BREAKER setting to split the incoming stream of data into separate lines. By default, the LINE_BREAKER value is any sequence of newlines and carriage returns. In regular expression format, this is represented as the following string: ([\r\n]+). You don't normally need to adjust this setting, but in cases where it's necessary, you must configure it in the props.conf configuration file on the forwarder that sends the data to Splunk Cloud Platform or a Splunk Enterprise indexer. The LINE_BREAKER setting expects a value in regular expression format.

• Question 137:

  Immediately after installation, what will a Universal Forwarder do first?

  A. Automatically detect any indexers in its subnet and begin routing data.

  B. Begin reading local files on its server.

  C. Begin generating internal Splunk logs.

  D. Send an email to the operator that the installation process has completed.

  Correct Answer: C

  Begin generating internal Splunk logs. Immediately after installation, a Universal Forwarder will start generating internal Splunk logs that contain information about its own operation, such as startup and shutdown events, configuration changes, data ingestion, and forwarding activities. These logs are stored in the $SPLUNK_HOME/var/log/splunk directory on the Universal Forwarder machine.

• Question 138:

  Which of the following describes a Splunk deployment server?

  A. A Splunk Forwarder that deploys data to multiple indexers.

  B. A Splunk app installed on a Splunk Enterprise server.

  C. A Splunk Enterprise server that distributes apps.

  D. A server that automates the deployment of Splunk Enterprise to remote servers.

  Correct Answer: C

  A Splunk deployment server is a system that distributes apps, configurations, and other assets to groups of Splunk Enterprise instances. You can use it to distribute updates to most types of Splunk Enterprise components: forwarders, non-

  clustered indexers, and search heads.

  A Splunk deployment server is available on every full Splunk Enterprise instance. To use it, you must activate it by placing at least one app into %SPLUNK_HOME%\etc\deployment-apps on the host you want to act as deployment server. A

  Splunk deployment server maintains the list of server classes and uses those server classes to determine what content to distribute to each client. A server class is a group of deployment clients that share one or more defined characteristics.

  A Splunk deployment client is a Splunk instance remotely configured by a deployment server. Deployment clients can be universal forwarders, heavy forwarders, indexers, or search heads. Each deployment client belongs to one or more

  server classes.

  A Splunk deployment app is a set of content (including configuration files) maintained on the deployment server and deployed as a unit to clients of a server class. A deployment app can be an existing Splunk Enterprise app or one developed

  solely to group some content for deployment purposes. Therefore, option C is correct, and the other options are incorrect.

• Question 139:

  What happens when there are conflicting settings within two or more configuration files?

  A. The setting is ignored until conflict is resolved.

  B. The setting for both values will be used together.

  C. The setting with the lowest precedence is used.

  D. The setting with the highest precedence is used.

  Correct Answer: D

  When there are conflicting settings within two or more configuration files, the setting with the highest precedence is used. The precedence of configuration files is determined by a combination of the file type, the directory location, and the alphabetical order of the file names.

• Question 140:

  In this example, ifuseACKis set to true and themaxQueueSizeis set to 7MB, what is the size of the wait queue on this universal forwarder?

  A. 21MB

  B. 28MB

  C. 14MB

  D. 7MB

  Correct Answer: A