Splunk Splunk Certifications SPLK-1003 Questions & Answers

• Question 171:

  What is the correct example to redact a plain-text password from raw events?

  A. in props.conf: [identity] REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

  B. in props.conf: [identity] SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

  C. in transforms.conf: [identity] SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

  D. in transforms.conf: [identity] REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

  Correct Answer: B

  The correct answer is B. in props.conf:

  [identity]

  SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g According to the Splunk documentation1, to redact sensitive data from raw events, you need to use the SEDCMD attribute in the props.conf file. The SEDCMD attribute

  applies a sed expression to the raw data before indexing. The sed expression can use the s command to replace a pattern with a substitution string. For example, the following sed expression replaces any occurrence of password= followed

  by any characters until a comma, whitespace, or slash with ####REACTED####:

  s/password=([^,|/s]+)/ ####REACTED####/g

  The g flag at the end means that the replacement is applied globally, not just to the first match.

  Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them. Option C is incorrect because it uses the transforms.conf file instead

  of the props.conf file. The transforms.conf file is used to define transformations that can be applied to fields or events, such as lookups, evaluations, or replacements. However, these transformations are applied after indexing, not before.

  Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file. References:1:Redact data from events - Splunk Documentation

• Question 172:

  In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

  

  Event example:

  

  A. MAX_TIMESTAMP_L0CKAHEAD = 5

  B. MAX_TIMESTAMP_LOOKAHEAD - 10

  C. MAX_TIMESTAMF_LOOKHEAD = 20

  D. MAX TIMESTAMP LOOKAHEAD - 30

  Correct Answer: D

  https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition "Specify how far (how many characters) into an event Splunk software should look for a timestamp." since TIME_PREFIX = ^ and timestamp is from 029 position, so D=30 will pick up the WHOLE timestamp correctly.

• Question 173:

  A new forwarder has been installed with a manually createddeploymentclient.conf.

  What is the next step to enable the communication between the forwarder and the deployment server?

  A. Restart Splunk on the deployment server.

  B. Enable the deployment client in Splunk Web under Forwarder Management.

  C. Restart Splunk on the deployment client.

  D. Wait for up to the time set in thephoneHomeIntervalInSecssetting.

  Correct Answer: C

  The next step to enable the communication between the forwarder and the deployment server after installing a new forwarder with a manually created deploymentclient.conf is to restart Splunk on the deployment client. The deploymentclient.conf file contains the settings for the deployment client, which is a Splunk instance that receives updates from the deployment server. The file must include the targetUri attribute, which specifies the hostname and management port of the deployment server. To apply the changes in the deploymentclient.conf file, Splunk must be restarted on the deployment client. Therefore, option C is the correct answer. References: Splunk Enterprise Certified Admin | Splunk, [Configure deployment clients - Splunk Documentation]

• Question 174:

  What is the correct curl to send multiple events through HTTP Event Collector?

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: B

  curl "https://mysplunkserver.example.com:8088/services/collector" \ -H "Authorization: Splunk DF4S7ZE4-3GS1-8SFS-E777-0284GG91PF67" \ -d `{"event": "Hello World"}, {"event": "Hola Mundo"}, {"event": "Hallo Welt"}'. This is the correct curl command to send multiple events through HTTP Event Collector (HEC), which is a token-based API that allows you to send data to Splunk Enterprise from any application that can make an HTTP request. The command has the following components: The URL of the HEC endpoint, which consists of the protocol (https), the hostname or IP address of the Splunk server (mysplunkserver.example.com), the port number (8088), and the service name (services/collector). The header that contains the authorization token, which is a unique identifier that grants access to the HEC endpoint. The token is prefixed with Splunk and enclosed in quotation marks. The token value (DF4S7ZE4-3GS1-8SFS-E777- 0284GG91PF67) is an example and should be replaced with your own token value. The data payload that contains the events to be sent, which are JSON objects enclosed in curly braces and separated by commas. Each event object has a mandatory field called event, which contains the raw data to be indexed. The event value can be a string, a number, a boolean, an array, or another JSON object. In this case, the event values are strings that say hello in different languages.

• Question 175:

  How would you configure your distsearch conf to allow you to run the search below?

  sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON A. Option A

  

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: C

  https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups

• Question 176:

  Which pathway represents where a network input in Splunk might be found?

  A. $SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

  B. $SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

  C. $SPLUNK HOME/ system/ local /udp.conf

  D. $SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

  Correct Answer: B

  The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file. A network input is a type of input that monitors data from TCP or UDP ports. To configure a network

  input, you need to specify the port number, the connection host, the source, and the sourcetype in the inputs.conf file.You can also set other optional settings, such as index, queue, and host_regex1. The inputs.conf file is a configuration file

  that contains the settings for different types of inputs, such as files, directories, scripts, network ports, and Windows event logs. The inputs.conf file can be located in various directories, depending on the scope and priority of the settings. The

  most common locations are:

  $SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs.You should not modify or copy the files in this directory2. $SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all

  inputs that apply to the entire Splunk instance.The settings in this directory override the default settings2.

  $SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app.You should not modify or copy the files in this directory2. $SPLUNK_HOME/etc/apps/$appName/local: This

  directory contains the custom settings for all inputs that are specific to an app.The settings in this directory override the default and system settings2. Therefore, the best practice is to create or edit the inputs.conf file in the $SPLUNK_HOME/

  etc/apps/$appName/local directory, where $appName is the name of the app that you want to configure the network input for. This way, you can avoid modifying the default files and ensure that your settings are applied to the specific app.

  The other options are incorrect because:

  A. There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory. C. There is no udp.conf file in Splunk. The network input settings should be in the inputs.conf file, not in a separate file. The system directory is not the recommended location for custom settings, as it affects the entire Splunk instance. D. The var/lib/splunk directory is where Splunk stores the indexed data, not the input settings. The homePath setting is used to specify the location of the index data, not the input data. The inputName is not a valid variable for inputs.conf.

• Question 177:

  Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

  A. Deployer

  B. Cluster master

  C. Deployment server

  D. Search head cluster master

  Correct Answer: C

  https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: "The deployment server distributes deployment apps to clients."

• Question 178:

  Which valid bucket types are searchable? (select all that apply)

  A. Hot buckets

  B. Cold buckets

  C. Warm buckets

  D. Frozen buckets

  Correct Answer: ABC

  Hot/warm/cold/thawed bucket types are searchable. Frozen isn't searchable because its either deleted at that state or archived.

• Question 179:

  A security team needs to ingest a static file for a specific incident. The log file has not been collected previously and future updates to the file must not be indexed.

  Which command would meet these needs?

  A. splunk add one shot / opt/ incident [data .log --index incident

  B. splunk edit monitor /opt/incident/data.* --index incident

  C. splunk add monitor /opt/incident/data.log --index incident

  D. splunk edit oneshot [opt/ incident/data.* --index incident

  Correct Answer: A

  The correct answer is A. splunk add one shot / opt/ incident [data . log --index incident According to the Splunk documentation1, the splunk add one shot command adds a single file or directory to the Splunk index and then stops monitoring it.

  This is useful for ingesting static files that do not change or update. The command takes the following syntax:

  splunk add one shot -index

  The file parameter specifies the path to the file or directory to be indexed. The index parameter specifies the name of the index where the data will be stored. If the index does not exist, Splunk will create it automatically. Option B is incorrect because the splunk edit monitor command modifies an existing monitor input, which is used for ingesting files or directories that change or update over time. This command does not create a new monitor input, nor does it stop monitoring after indexing. Option C is incorrect because the splunk add monitor command creates a new monitor input, which is also used for ingesting files or directories that change or update over time. This command does not stop monitoring after indexing. Option D is incorrect because the splunk edit oneshot command does not exist. There is no such command in the Splunk CLI. References:1:Monitor files and directories with inputs.conf - Splunk Documentation

• Question 180:

  An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

  is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

  index?

  A. Buy a bigger Splunk license.

  B. Add 2.5 TB each day for the next 5 days.

  C. Add all 10 TB in a single 24 hour period.

  D. Add 200 GB of historical data each day for 50 days.

  Correct Answer: C

  https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations "An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate."