Splunk Splunk Certifications SPLK-1003 Questions & Answers

• Question 151:

  When would the following command be used?

  

  A. To verify' the integrity of a local index.

  B. To verify the integrity of a SmartStore index.

  C. To verify the integrity of a SmartStore bucket.

  D. To verify the integrity of a local bucket.

  Correct Answer: D

  To verify the integrity of a local bucket. The command ./splunk check- integrity -bucketPath [bucket path] [-verbose] is used to verify the integrity of a local bucket by comparing the hashes stored in the l1Hashes and l2Hash files with the actual data in the bucket1. This command can help detect any tampering or corruption of the data.

• Question 152:

  What are the values forhostandindexfor[stanza1]used by Splunk during index time, given the following configuration files?

  

  A. host=server1 index=unixinfo

  B. host=server1 index=searchinfo

  C. host=searchsvr1 index=searchinfo

  D. host=unixsvr1 index=unixinfo

  Correct Answer: A

  - etc/system/local/ has better precedence at index time - for identical settings in the same file, the last one overwrite others, see :https://community.splunk.com/t5/Getting-Data-In/What-is-the-precedence-for-identical- stanzas-within-a-single/ m-p/283566

• Question 153:

  Which of the following is a benefit of distributed search?

  A. Peers run search in sequence.

  B. Peers run search in parallel.

  C. Resilience from indexer failure.

  D. Resilience from search head failure.

  Correct Answer: B

  https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch Parallel reduce search processing If you struggle with extremely large high-cardinality searches, you might be able to apply parallel reduce processing to them to help them complete faster. You must have a distributed search environment to use parallel reduce search processing.

• Question 154:

  Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

  A. props.conf

  B. inputs.conf

  C. rawdata.conf

  D. transforms.conf

  Correct Answer: AD

  https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextrac tionswithfieldtransforms use transformations with props.conf and transforms.conf to: Mask or delete raw data as it is being indexed verride sourcetype or host based upon event values Route events to specific indexes based on event content ?Prevent unwanted events from being indexed

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Configuretimestamprecognition

• Question 155:

  What is an example of a proper configuration for CHARSET within props.conf?

  A. [host: : server. splunk. com] CHARSET = BIG5

  B. [index: :main] CHARSET = BIG5

  C. [sourcetype: : son] CHARSET = BIG5

  D. [source: : /var/log/ splunk] CHARSET = BIG5

  Correct Answer: A

  According to the Splunk documentation1, to manually specify a character set for an input, you need to set the CHARSET key in the props.conf file. You can specify the character set by host, source, or sourcetype, but not by index. https:// docs.splunk.com/Documentation/Splunk/latest/Data/Configurecharactersetencoding

• Question 156:

  The Splunk administrator wants to ensure data is distributed evenly amongst the indexers.

  To do this, he runs the following search over the last 24 hours:

  index=*

  What field can the administrator check to see the data distribution?

  A. host

  B. index

  C. linecount

  D. splunk_server

  Correct Answer: D

  https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server The splunk server field contains the name of the Splunk server containing the event. Useful in a distributed Splunk environment. Example: Restrict a search to the main index on a server named remote. splunk_server=remote index=main 404

• Question 157:

  Where should apps be located on the deployment server that the clients pull from?

  A. $SFLUNK_KOME/etc/apps

  B. $SPLUNK_HCME/etc/sear:ch

  C. $SPLUNK_HCME/etc/master-apps

  D. $SPLUNK HCME/etc/deployment-apps

  Correct Answer: D

  After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

• Question 158:

  When running a real-time search, search results are pulled from which Splunk component?

  A. Heavy forwarders and search peers

  B. Heavy forwarders

  C. Search heads

  D. Search peers

  Correct Answer: D

  Using the Splunk reference URLhttps://docs.splunk.com/Splexicon:Searchpeer

  "search peer is a splunk platform instance that responds to search requests from a search head. The term "search peer" is usally synonymous with the indexer role in a distributed search topology. However, other instance types also have access to indexed data, particularly internal diagnostic data, and thus function as search peers when they respond to search requests for that data."

• Question 159:

  What options are available when creating custom roles? (select all that apply)

  A. Restrict search terms

  B. Whitelist search terms

  C. Limit the number of concurrent search jobs

  D. Allow or restrict indexes that can be searched.

  Correct Answer: ACD

  https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/Admin/ConcurrentLimits "Set limits for concurrent scheduled searches. You must have the edit_search_concurrency_all and edit_search_concurrency_scheduled capabilities to configure these settings."

• Question 160:

  On the deployment server, administrators can map clients to server classes using client filters. Which of the following statements is accurate?

  A. The blacklist takes precedence over the whitelist.

  B. The whitelist takes precedence over the blacklist.

  C. Wildcards are not supported in any client filters.

  D. Machine type filters are applied before the whitelist and blacklist.

  Correct Answer: A

  https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients Reference: https://community.splunk.com/t5/Getting-Data-In/Can-I-use-both-the-whitelist- AND-blacklist-forthe-same/td-p/390910