Splunk Splunk Certifications SPLK-1003 Questions & Answers

• Question 11:

  Local user accounts created in Splunk store passwords in which file?

  A. $ SFLUNK_HOME/etc/passwd

  B. $ SFLUNK_HOME/etc/authentication

  C. $ S?LUNK_HOME/etc/users/passwd.conf

  D. $ SPLUNK HOME/etc/users/authentication.conf

  Correct Answer: A

  Per the provided reference URLhttps://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf "To set the default username and password, place user-seed.conf in $SPLUNK_HOME/etc/system/local. You must restart Splunk to enable configurations. If the $SPLUNK_HOME/etc/passwd file is present, the settings in this file (user-seed.conf) are not used."

• Question 12:

  Consider the following stanza ininputs.conf:

  

  What will the value of the source filed be for events generated by this scripts input?

  A. /opt/splunk/ecc/apps/search/bin/liscer.sh

  B. unknown

  C. liscer

  D. liscer.sh

  Correct Answer: A

  https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Inputsconf

  -Scroll down to source = *Default: the input file path

• Question 13:

  UsingSEDCMDinprops.confallows raw data to be modified. With the given event below, which option will mask the first three digits of theAcctIDfield resulting output:[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309 Event: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

  A. SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g

  B. SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g

  C. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g

  D. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

  Correct Answer: D

  https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata Scrolling down to the section titled "Define the sed script in props.conf shows the correct syntax of an example which validates that the number/character /1 immediately preceded the /g

• Question 14:

  A Splunk administrator has been tasked with developing a retention strategy to have frequently accessed data sets on SSD storage and to have older, less frequently accessed data on slower NAS storage. They have set a mount point for the NAS. Which parameter do they need to modify to set the path for the older, less frequently accessed data in indexes.conf?

  A. homepath

  B. thawedPath

  C. summaryHomePath

  D. colddeath

  Correct Answer: D

  The coldPath parameter defines the path for the cold buckets, which are the oldest and least frequently accessed data in an index. By setting the coldPath to point to the NAS mount point, the Splunk administrator can achieve the retention strategy of having older data on slower NAS storage.

• Question 15:

  All search-time field extractions should be specified on which Splunk component?

  A. Deployment server

  B. Universal forwarder

  C. Indexer

  D. Search head

  Correct Answer: D

  Search-time field extractions are the process of extracting fields from events after they are indexed. Search-time field extractions are specified on the search head, which is the Splunk component that handles searching and reporting. Search-time field extractions are configured in props.conf and transforms.conf files, which are located in the etc/system/local directory on the search head. Therefore, option D is the correct answer. References: Splunk Enterprise Certified Admin | Splunk, [About fields - Splunk Documentation]

• Question 16:

  Which of the following is an appropriate description of a deployment server in a non-cluster environment?

  A. Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

  B. Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

  C. Allows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

  D. Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

  Correct Answer: B

  Reference:https://docs.splunk.com/Documentation/Splunk/8.2.1/Admin/StartSplunk

  https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

  "A deployment client is a Splunk instance remotely configured by a deployment server".

• Question 17:

  Which data pipeline phase is the last opportunity for defining event boundaries?

  A. Input phase

  B. Indexing phase

  C. Parsing phase

  D. Search phase

  Correct Answer: C

  Referencehttps://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparam etersandthedatapipeline

  The parsing phase is the process of extracting fields and values from raw data. The parsing phase respects LINE_BREAKER, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings in props.conf. These settings determine how Splunk breaks the data into events based on certain criteria, such as timestamps or regular expressions. The event boundaries are defined by the props.conf file, which can be modified by the administrator. Therefore, the parsing phase is the last opportunity for defining event boundaries.

• Question 18:

  Which layers are involved in Splunk configuration file layering? (select all that apply)

  A. App context

  B. User context

  C. Global context

  D. Forwarder context

  Correct Answer: ABC

  https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

  To determine the order of directories for evaluating configuration file precedence, Splunk software considers each file's context. Configuration files operate in either a global context or inthe context of the current app and user: Global. Activities

  like indexing take place in a global context. They are independent of any app or user. For example, configuration files that determine monitoring or indexing behavior occur outside of the app and user context and are global in nature. App/

  user. Some activities, like searching, take place in an app or user context. The app and user context is vital to search-time processing, where certain knowledge objects or actions might be valid only for specific users in specific apps.

• Question 19:

  Which Splunk component consolidates the individual results and prepares reports in a distributed environment?

  A. Indexers

  B. Forwarder

  C. Search head

  D. Search peers

  Correct Answer: C

  https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/Howuserscancontroldistributedsearches "From the user standpoint, specifying and running a distributed search is essentially the same as running any other search. Behind the scenes, the search head distributes the query to its search peers, and consolidates the results when presenting them to the user."

• Question 20:

  Where are license files stored?

  A. $SPLUNK_HOME/etc/secure

  B. $SPLUNK_HOME/etc/system

  C. $SPLUNK_HOME/etc/licenses

  D. $SPLUNK_HOME/etc/apps/licenses

  Correct Answer: C