Splunk Splunk Certifications SPLK-1003 Questions & Answers

• Question 31:

  Which Splunk configuration file is used to enable data integrity checking?

  A. props.conf

  B. global.conf

  C. indexes.conf

  D. data_integrity.conf

  Correct Answer: C

• Question 32:

  Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations found in props.conf to be validated all through the UI?

  A. Apps

  B. Search

  C. Data preview

  D. Forwarder inputs

  Correct Answer: C

  http://www.splunk.com/view/SP-CAAAGPR

• Question 33:

  What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

  A. License data

  B. Metricsdata

  C. Internal Splunk data

  D. Internal Windows logs

  Correct Answer: B

• Question 34:

  What is the valid option for a [monitor] stanza in inputs.conf?

  A. enabled

  B. datasource

  C. server_name

  D. ignoreOlderThan

  Correct Answer: D

  Setting: ignoreOlderThan = Description: "Causes the input to stop checking files for updates if the file modification time has passed the threshold." Default: 0 (disabled)

• Question 35:

  How do you remove missing forwarders from the Monitoring Console?

  A. By restarting Splunk.

  B. By rescanning active forwarders.

  C. By reloading the deployment server.

  D. By rebuilding the forwarder asset table.

  Correct Answer: D

• Question 36:

  In which phase do indexed extractions in props.conf occur?

  A. Inputs phase

  B. Parsing phase

  C. Indexing phase

  D. Searching phase

  Correct Answer: B

  The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

  Input phase inputs.conf props.conf CHARSET NO_BINARY_CHECK CHECK_METHOD CHECK_FOR_HEADER (deprecated) PREFIX_SOURCETYPE sourcetype wmi.conf regmon-filters.conf Structured parsing phase props.conf INDEXED_EXTRACTIONS, and all other structured data header extractions Parsing phase props.conf LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules TRANSFORMS which includes per-event queue filtering, per-event index assignment, per- event routing SEDCMD MORE_THAN, LESS_THAN transforms.conf stanzas referenced by a TRANSFORMS clause in props.conf LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

• Question 37:

  Which of the following is accurate regarding the input phase?

  A. Breaks data into events with timestamps.

  B. Applies event-level transformations.

  C. Fine-tunes metadata.

  D. Performs character encoding.

  Correct Answer: D

  https://docs.splunk.com/Documentation/Splunk/latest/Deploy/Datapipeline "The data pipeline segments in depth. INPUT - In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks it into 64K blocks, and annotates each block with some metadata keys. The keys can also include values that are used internally, such as the character encoding of the data stream, and values that control later processing of the data, such as the index into which the events should be stored. PARSING Annotating individual events with metadata copied from the source-wide keys. Transforming event data and metadata according to regex transform rules."

• Question 38:

  How is a remote monitor input distributed to forwarders?

  A. As an app.

  B. As a forward.conf file.

  C. As a monitor.conf file.

  D. As a forwarder monitor profile.

  Correct Answer: A

  https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents Scroll down to the section Titled, How to configure forwarder inputs, and subsection Here are the main ways that you can configure data inputs on a forwarder Install the app or add- on that contains the inputs you wants

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents

• Question 39:

  Windows can prevent a Splunk forwarder from reading open files. If files need to be read while they are being written to, what type of input stanza needs to be created?

  A. Tail Reader

  B. Upload

  C. MonitorNoHandIe

  D. Monitor

  Correct Answer: C

  The correct answer is C. MonitorNoHandle. MonitorNoHandle is a type of input stanza that allows a Splunk forwarder to read files on Windows systems as Windows writes to them.It does this by using a kernel-mode filter driver to capture raw

  data as it gets written to the file1.This input stanza is useful for files that get locked open for writing, such as the Windows DNS server log file2.

  The other options are incorrect because:

  A. Tail Reader is not a valid input stanza in Splunk.It is a component of the Tailing Processor, which is responsible for monitoring files and directories for new data3. B. Upload is a type of input stanza that allows Splunk to index a single file from a local or network file system.It is not suitable for files that are constantly being updated, as it only indexes the file once and does not monitor it for changes4. D. Monitor is a type of input stanza that allows Splunk to monitor files and directories for new data. However, it may not work for files that Windows prevents Splunk from reading while they are open.In such cases, MonitorNoHandle is a better option2.

  A Splunk forwarder is a lightweight agent that can forward data to a Splunk deployment. There are two types of forwarders: universal and heavy.A universal forwarder can only forward data, while a heavy forwarder can also perform parsing,

  filtering, routing, and aggregation on the data before forwarding it5. An input stanza is a section in the inputs.conf configuration file that defines the settings for a specific type of input, such as files, directories, network ports, scripts, or

  Windows event logs. An input stanza starts with a square bracket, followed by the input type and the input path or name. For example, [monitor:///var/log] is an input stanza for monitoring the /var/log directory.

  References:

  1: Monitor files and directories - Splunk Documentation

  2: How to configure props.conf for proper line breaking ... - Splunk Community

  3: How Splunk Enterprise monitors files and directories - Splunk Documentation

  4: Upload a file - Splunk Documentation

  5: Use forwarders to get data into Splunk Enterprise - Splunk Documentation [6]: inputs.conf - Splunk Documentation

• Question 40:

  In addition to single, non-clustered Splunk instances, what else can the deployment server push apps to?

  A. Universal forwarders

  B. Splunk Cloud

  C. Linux package managers

  D. Windows using WMI

  Correct Answer: A

  The deployment server is a Splunk component that distributes apps and other configurations to deployment clients, which are Splunk instances that receive updates from the deployment server. The deployment server can push apps to single, non-clustered Splunk instances, as well as universal forwarders, which are lightweight Splunk agents that forward data to indexers. Therefore, option A is the correct answer. References: Splunk Enterprise Certified Admin | Splunk, [About deployment server and forwarder management

  -Splunk Documentation]