Splunk Splunk Certifications SPLK-1003 Questions & Answers

• Question 81:

  Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting up Duo for Multi-Factor Authentication in Splunk Enterprise?

  A. Duo Administrator

  B. LDAP Administrator

  C. SAML Administrator

  D. Trio Administrator

  Correct Answer: A

  Reference: https://duo.com/docs/splunk

• Question 82:

  Which of the following Splunk components require a separate installation package?

  A. Deployment server

  B. License master

  C. Universal forwarder

  D. Heavy forwarder

  Correct Answer: C

  Reference:https://github.com/packetiq/SplunkArchitect/blob/master/Install-and-Configure-Splunk-Enterprise-Components.md

  The Splunk component that requires a separate installation package is the universal forwarder. The universal forwarder is a lightweight Splunk agent that forwards data to indexers or other forwarders. The universal forwarder has a different installation package than the Splunk Enterprise package, which includes all the other Splunk components. Therefore, option C is the correct answer. References: Splunk Enterprise Certified Admin | Splunk, [About installing Splunk Enterprise with a universal forwarder - Splunk Documentation]

• Question 83:

  A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?

  A. Update the user in Splunk web informing them that the results of their search may be incomplete.

  B. Repeat the search request on indexer B without informing the user.

  C. Update the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.

  D. Inform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

  Correct Answer: A

  This is explained in the Splunk documentation, which states:

  If an indexer goes down during a search, the search head notifies you that the results might be incomplete. The search head does not attempt to re-run the search on another indexer.

• Question 84:

  Which is a valid stanza for a network input?

  A. [udp://172.16.10.1:9997] connection = dns sourcetype = dns

  B. [any://172.16.10.1:10001] connection_host = ip sourcetype = web

  C. [tcp://172.16.10.1:9997] connection_host = web sourcetype = web

  D. [tcp://172.16.10.1:10001] connection_host = dns sourcetype = dns

  Correct Answer: D

• Question 85:

  Which additional component is required for a search head cluster?

  A. Deployer

  B. Cluster Master

  C. Monitoring Console

  D. Management Console

  Correct Answer: A

  Reference:https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/SHCdeployme ntoverview

  The deployer. This is a Splunk Enterprise instance that distributes apps and other configurations to the cluster members. It stands outside the cluster and cannot run on the same instance as a cluster member. It can, however, under some circumstances, reside on the same instance as other Splunk Enterprise components, such as a deployment server or an indexer cluster master node.

• Question 86:

  What event-processing pipelines are used to process data for indexing? (select all that apply)

  A. Typing pipeline

  B. Parsing pipeline

  C. fifo pipeline

  D. Indexing pipeline

  Correct Answer: BD

• Question 87:

  Where are deployment server apps mapped to clients?

  A. Apps tab in forwarder management interface or clientapps.conf.

  B. Clients tab in forwarder management interface or deploymentclient.conf.

  C. Server Classes tab in forwarder management interface or serverclass.conf.

  D. Client Applications tab in forwarder management interface or clientapps.conf.

  Correct Answer: C

  "Use serverclass.conf to define server classes" "The most important settings define the set of deployment clients and the set of apps for each server class."

• Question 88:

  Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

  A. It requires a separate channel provided by the client.

  B. It is configured the same as indexer acknowledgement used to protect in-flight data.

  C. It can be enabled at the global setting level.

  D. It stores status information on the Splunk server.

  Correct Answer: A

  https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/AboutHECIDXAck

  -Section: About channels and sending data

  Sending events to HEC with indexer acknowledgment active is similar to sending them with the setting off. There is one crucial difference: when you have indexer acknowledgment turned on, you must specify a channel when you send

  events. The concept of a channel was introduced in HEC primarily to prevent a fast client from impeding the performance of a slow client. When you assign one channel per client, because channels are treated equally on Splunk Enterprise,

  one client can't affect another. You must include a matching channel identifier both when sending data to HEC in an HTTP request and when requesting acknowledgment that events contained in the request have been indexed. If you don't,

  you will receive the error message, "Data channel is missing." Each request that includes a token for which indexer acknowledgment has been enabled must include a channel identifier, as shown in the following example cURL statement,

  where represents the event data portion of the request

• Question 89:

  Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

  A. Any OS platform

  B. Linux platform only

  C. Windows platform only.

  D. None of the above.

  Correct Answer: A

  "The forwarder/indexer relationship can be considered platform agnostic (within the sphere of supported platforms) because they exchange their data handshake (and the data, if you wish) over TCP.

• Question 90:

  When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

  A. props.conf

  B. sourcetypes.conf

  C. transforms.conf

  D. outputs.conf

  Correct Answer: A

  Reference:https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Bypassautoma ticsourcetypeassignment

  When using a directory monitor input, specific source types can be selectively overridden using props.conf. The props.conf file contains settings for parsing and indexing data, as well as search-time field extractions. The props.conf file can be used to assign or change source types for specific inputs using the sourcetype attribute. Therefore, option A is the correct answer. References: Splunk Enterprise Certified Admin | Splunk, [Configure directory monitor inputs - Splunk Documentation]