Splunk Splunk Certifications SPLK-1003 Questions & Answers

• Question 21:

  Running this search in a distributed environment:

  

  On what Splunk component does the eval command get executed?

  A. Heavy Forwarders

  B. Universal Forwarders

  C. Search peers

  D. Search heads

  Correct Answer: C

  The eval command is a distributable streaming command, which means that it can run on the search peers in a distributed environment1. The search peers are the indexers that store the data and perform the initial steps of the search processing2. The eval command calculates an expression and puts the resulting value into a search results field1. In your search, you are using the eval command to create a new field called "responsible_team" based on the values in the "account" field.

• Question 22:

  The CLI command splunk add forward-server indexer: will create stanza(s) in which configuration file?

  A. inputs.conf

  B. indexes.conf

  C. outputs.conf

  D. servers.conf

  Correct Answer: C

  The CLI command "Splunk add forward-server indexer:" is used to define the indexer and the listening port on forwards. The command creates this kind of entry "[tcpout-server://:]" in the outputs.conf file. https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configureforwardingwit houtputs.conf

  Reference: https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Enableareceiver

• Question 23:

  Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

  A. props.conf

  B. inputs.conf

  C. outputs.conf

  D. collections.conf

  Correct Answer: C

  https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata Per the provided Splunk reference URL by @hwangho, scroll to section Forward search head data, subsection titled, 2. Configure the search head as a forwarder. "Create an outputs.conf file on the search head that configures the search head for load-balanced forwarding across the set of search peers (indexers)."

  Reference: https://community.splunk.com/t5/Getting-Data-In/How-to-configure-search-head-to-forwardinternal-data-to-the/td-p/111658

• Question 24:

  What happens when the same username exists in Splunk as well as through LDAP?

  A. Splunk user is automatically deleted from authentication.conf.

  B. LDAP settings take precedence.

  C. Splunk settings take precedence.

  D. LDAP user is automatically deleted from authentication.conf

  Correct Answer: C

  Reference:https://docs.splunk.com/Documentation/SplunkCloud/8.2.2105/Security/SetupuserauthenticationwithLDAP

  Splunk platform attempts native authentication first. If authentication fails outside of a local account that doesn't exist, there is no attempt to use LDAP to log in. This is adapted from precedence of Splunk authentication schema.

• Question 25:

  Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint information for that file?

  A. _audit

  B. _checkpoint

  C. _introspection

  D. _thefishbucket

  Correct Answer: D

  --reset Reset the fishbucket for the given key or file in the btree. Resetting the checkpoint for an active monitor input reindexes data, resulting in increased license use.

• Question 26:

  Syslog files are being monitored on a Heavy Forwarder. Where would the appropriate TRANSFORMS setting be deployed to reroute logs based on the event message?

  A. Heavy Forwarder

  B. Indexer

  C. Search head

  D. Deployment server

  Correct Answer: A

  A Heavy Forwarder is a Splunk instance that can parse and filter data before forwarding it to another Splunk instance, such as an indexer1. A Heavy Forwarder can also perform index-time field extractions using the TRANSFORMS setting2.

  The TRANSFORMS setting is used to configure data transformations in the transforms.conf file3. The transforms.conf file contains settings and values that you canuse to configure host and source type overrides, anonymize sensitive data,

  route events to different indexes, create index-time and search-time field extractions, and set up lookup tables3.

  The TRANSFORMS setting can be deployed to the Heavy Forwarder where the syslog files are being monitored, so that the logs can be rerouted based on the event message before they are forwarded to the indexer2. This can improve the

  performance and efficiency of data processing and indexing2.

• Question 27:

  The priority of layered Splunk configuration files depends on the file's:

  A. Owner

  B. Weight

  C. Context

  D. Creation time

  Correct Answer: C

  https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfil es

  "To determine the order of directories for evaluating configuration file precendence, Splunk software considers each file's context. Configuration files operate in either a global context or in the context of the current app and user"

• Question 28:

  When should the Data Preview feature be used?

  A. When extracting fields for ingested data.

  B. When previewing the data before searching.

  C. When reviewing data on the source host.

  D. When validating the parsing of data.

  Correct Answer: D

  The Data Preview feature should be used when validating the parsing of data. The Data Preview feature allows you to preview how Splunk software will index your data before you commit the data to an index.You can use the Data Preview

  feature to check the following aspects of data parsing1:

  Timestamp recognition: You can verify that Splunk software correctly identifies the timestamps of your events and assigns them to the _time field. Event breaking: You can verify that Splunk software correctly breaks your data stream into

  individual events based on the line breaker and should linemerge settings.

  Source type assignment: You can verify that Splunk software correctly assigns a source type to your data based on the props.conf file settings. You can also manually override the source type if needed. Field extraction: You can verify that

  Splunk software correctly extracts fields from your events based on the transforms.conf file settings. You can also use the Interactive Field Extractor (IFX) to create custom field extractions. The Data Preview feature is available in Splunk Web

  under Settings > Data inputs > Data preview.You can access the Data Preview feature when you add a new input or edit an existing input1.

  The other options are incorrect because:

  A. When extracting fields for ingested data. The Data Preview feature can be used to verify the field extraction for data that has not been ingested yet, but not for data that has already been indexed.To extract fields from ingested data, you can use the IFX or the rex command in the Search app2.

  B. When previewing the data before searching. The Data Preview feature does not allow you to search the data, but only to view how it will be indexed. To preview thedata before searching, you can use the Search app and specify a time range or a sample ratio.

  C. When reviewing data on the source host. The Data Preview feature does not access the data on the source host, but only the data that has been uploaded or monitored by Splunk software. To review data on the source host, you can use the Splunk Universal Forwarder or the Splunk Add-on for Unix and Linux.

• Question 29:

  Which setting in indexes. conf allows data retention to be controlled by time?

  A. maxDaysToKeep

  B. moveToFrozenAfter

  C. maxDataRetentionTime

  D. frozenTimePeriodlnSecs

  Correct Answer: D

  https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setaretirementandarchivingpolicy

• Question 30:

  When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

  A. On Universal Forwarder, $SPLUNK_HOME/etc/apps

  B. On Deployment Server, $SPLUNK_HOME/etc/apps

  C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps

  D. On Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

  Correct Answer: C

  The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps. A deployment server is a Splunk Enterprise instance that acts as a centralized configuration manager for any number of other instances, called

  "deployment clients".A deployment client can be a universal forwarder, a non-clustered indexer, or a search head1.

  A deployment app is a directory that contains any content that you want to download to a set of deployment clients.The content can include a Splunk Enterprise app, a set of Splunk Enterprise configurations, or other content, such as scripts,

  images, and supporting files2. You create a deployment app by creating a directory for it on the deployment server. The default location is $SPLUNK_HOME/etc/deployment-apps, but this is configurable through the repositoryLocation

  attribute in serverclass.conf. Underneath this location, each app must have its own subdirectory.The name of the subdirectory serves as the app name in the forwarder management interface2.

  The other options are incorrect because:

  A. On Universal Forwarder, $SPLUNK_HOME/etc/apps. This is the location where the deployment app resides after it is downloaded from the deployment server to the universal forwarder.It is not the location of the app before it is deployed2.

  B. On Deployment Server, $SPLUNK_HOME/etc/apps. This is the location where the apps that are specific to the deployment server itself reside.It is not the location where the deployment apps for the clients are stored2. D. On Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps. This is not a valid location for any app on a universal forwarder.The universal forwarder does not act as a deployment server and does not store deployment apps3.