Splunk Splunk Certifications SPLK-1003 Questions & Answers

• Question 51:

  A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly to the indexer. Both sets of data require the masking of raw text strings before being written to disk. What does the administrator need to do to ensure that the masking takes place successfully?

  A. Make sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

  B. For source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

  C. Make sure that props . conf and transforms . conf are both present on the Universal Forwarder.

  D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

  Correct Answer: D

  The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B. According to the Splunk documentation1, to mask sensitive data from raw events, you need to use the SEDCMD attribute in the props.conf file and the REGEX attribute in the transforms.conf file. The SEDCMD attribute applies a sed expression to the raw data before indexing, while the REGEX attribute defines a regular expression to match the data to be masked.You need to place these files on the Splunk instance that parses the data, which isusually the indexer or the heavy forwarder2. The universal forwarder does not parse the data, so it does not need these files. For source A, the data is routed through a heavy forwarder, which can parse the data before sending it to the indexer. Therefore, you need to place both props.conf and transforms.conf on the heavy forwarder for source A, so that the masking takes place before indexing. For source B, the data is routed directly to the indexer, which parses and indexes the data. Therefore, you need to place both props.conf and transforms.conf on the indexer for source B, so that the masking takes place before indexing. References:1:Redact data from events - Splunk Documentation2:Where do I configure my Splunk settings? - Splunk Documentation

• Question 52:

  During search time, which directory of configuration files has the highest precedence?

  A. $SFLUNK_KOME/etc/system/local

  B. $SPLUNK_KCME/etc/system/default

  C. $SPLUNK_HCME/etc/apps/app1/local

  D. $SPLUNK HCME/etc/users/admin/local

  Correct Answer: D

  Adding further clarity and quoting same Splunk reference URL from @giubal"

  "To keep configuration settings consistent across peer nodes, configuration files are managed from the cluster master, which pushes the files to the slave-app directories on the peer nodes. Files in the slave-app directories have the highest precedence in a cluster peer's configuration. Here is the expanded precedence order for cluster peers: 1.Slave-app local directories -- highest priority

  2.

  System local directory

  3.

  App local directories

  4.

  Slave-app default directories

  5.

  App default directories

  6.

  System default directory --lowest priority

• Question 53:

  Which parent directory contains the configuration files in Splunk?

  A. SSFLUNK_HOME/etc

  B. SSPLUNK_HOME/var

  C. SSPLUNK_HOME/conf

  D. SSPLUNK_HOME/default

  Correct Answer: A

  https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories Section titled, Configuration file directories, states "A detailed list of settings for each configuration file is provided in the .spec file names for that configuration file. You can find the latest version of the .spec and .example files in the $SPLUNK_HOME/etc system/README folder of your Splunk Enterprise installation..."

• Question 54:

  In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

  A. To ensure that hot buckets are still open for writes and have not been forced to roll to a cold state

  B. To ensure that configuration files have not been tampered with for auditing and/or legal purposes

  C. To ensure that user passwords have not been tampered with for auditing and/or legal purposes.

  D. To ensure that data has not been tampered with for auditing and/or legal purposes

  Correct Answer: D

• Question 55:

  A Universal Forwarder has the following active stanza in inputs . conf:

  [monitor: //var/log]

  disabled = O

  host = 460352847

  An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

  A. Universal Coordinated Time.

  B. The timezone of the search head.

  C. The timezone of the indexer that indexed the event.

  D. The timezone of the forwarder.

  Correct Answer: D

  The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

  According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

  Use the time zone specified in raw event data (for example, PST, -0800), if present.

  Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

  If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

  Use the time zone of the host that indexes the event. In this case, the event does not have a time zone specified in the raw data, nor does it have a TZ attribute set in props.conf. Therefore, the next rule applies, which is to use the time zone

  that the forwarder provides.A universal forwarder is a lightweight agent that can forward data to a Splunk deployment, and it knows its system time zone and sends that information along with the events to the indexer2.The indexer then

  converts the event time to UTC and stores it in the _time field1.

  The other options are incorrect because:

  A. Universal Coordinated Time (UTC) is not the time zone that Splunk adds to the event as part of indexing, but rather the time zone that Splunk uses to store the event time in the _time field.Splunk software converts the event time to UTC based on the time zone that it determines from the rules above1. B.The timezone of the search head is not relevant for indexing, as the search head is a Splunk component that handles search requests and distributes them to indexers, but it does not process incoming data3.The search head uses the user's timezone setting to determine the time range in UTC that should be searched and to display the timestamp of the results in the user's timezone2. C. The timezone of the indexer that indexed the event is only used as a last resort, if none of the other rules apply.In this case, the forwarder provides the time zone information, so the indexer does not use its own time zone1.

• Question 56:

  In inputs. conf, which stanza would mean Splunk was only reading one local file?

  A. [read://opt/log/crashlog/Jan27crash.txt]

  B. [monitor::/ opt/log/crashlog/Jan27crash.txt]

  C. [monitor:/// opt/log/]

  D. [monitor:/// opt/log/ crashlog/Jan27crash.txt]

  Correct Answer: B

  [monitor::/opt/log/crashlog/Jan27crash.txt]. This stanza means that Splunk is monitoring a single local file named Jan27crash.txt in the /opt/log/crashlog/ directory1. The monitor input type is used to monitor files and directories for changes and index any new data that is added2.

• Question 57:

  In which phase of the index time process does the license metering occur?

  A. input phase

  B. Parsing phase

  C. Indexing phase

  D. Licensing phase

  Correct Answer: C

  "When ingesting event data, the measured data volume is based on the new raw data that is placed into the indexing pipeline. Because the data is measured at the indexing pipeline, data that is filetered and dropped prior to indexing does not count against the license volume qota." https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

• Question 58:

  In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?

  A. services/ collector

  B. services/ inputs ? raw

  C. services/ data/ collector

  D. data/ collector

  Correct Answer: C

  The answer to your question is C. services/data/collector. This is the endpoint URI used to collect data in a customer managed Splunk Enterprise environment.According to the Splunk documentation1, "The HTTP Event Collector REST API

  endpoint is /services/data/collector.You can use this endpoint to send events to HTTP Event Collector on a Splunk Enterprise or Splunk Cloud Platform deployment." You can also use this endpoint to send events to a specific token or index1.

  For example, you can use thefollowing curl command to send an event with the token 578254cc-05f5-46b5-957b- 910d1400341a and the index main:

  curl -k https://localhost:8088/services/data/collector -H'Authorization: Splunk 578254cc- 05f5-46b5-957b-910d1400341a'-d'{"index":"main","event":"Hello, world!"}'

• Question 59:

  Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

  A. Upload option

  B. Forward option

  C. Monitor option

  D. Download option

  Correct Answer: A

• Question 60:

  Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that apply.)

  A. Index once.

  B. Monitor interval.

  C. On-demand monitor.

  D. Continuously monitor.

  Correct Answer: AD

  https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata The fastest way to add data to your Splunk Cloud instance or Splunk Enterprise deployment is to use Splunk Web. After you access the Add Data page, choose one of three options for getting data into your Splunk platform deployment with Splunk Web: (1) Upload, (2) Monitor, (3) Forward The Upload option lets you upload a file or archive of files for indexing. When you choose Upload option, Splunk Web opens the upload process page. Monitor. For Splunk Enterprise installations, the Monitor option lets you monitor one or more files, directories, network streams, scripts, Event Logs (on Windows hosts only), performance metrics, or any other type of machine data that the Splunk Enterprise instance has access to.