Free SPLK-1003 Sample Questions — Splunk Enterprise Certified Admin

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

• A. Blacklist
• B. Whitelist
• C. They cancel each other out
• D. Whichever is entered into the configuration first

What will the following inputs.conf stanza do? [script://myscript.sh] interval=0

• A. The script will run at the default interval of 60 seconds
• B. The script will be run only once for each time Splunk is restarted
• C. The script will be run. As soon as the script exits, Splunk restarts it
• D. The script will not be run

What is a role in Splunk? (Choose all that apply.)

• A. classification that determines if a Splunk server can remotely control another Splunk server
• B. classification that determines what indexes a user can search
• C. classification that determines what capabilities a user has
• D. classification that determines what functions a Splunk server controls

What configuration file are remote Windows Management Instrumentation inputs defined in?

• A. wmi.conf
• B. inputs.conf
• C. wmi_inputs.conf
• D. None, the inputs are defined outside of Splunk

Which of the methods listed below supports multi-factor authentication?

• A. Security Assertion Markup Language (SAML)
• B. OpenID
• C. Lightweight Directory Access Protocol (LDAP)
• D. Single Sign-On (SSO)

In which phase do indexed extractions in props.conf occur?

• A. Inputs phase
• B. Parsing phase
• C. Indexing phase
• D. Searching phase

Which of the following are reasons to create separate indexes? (Choose all that apply.)

• A. Different retention times
• B. Increase number of users
• C. Restrict user permissions
• D. File organization

Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

• A. It requires a separate channel provided by the client
• B. It is configured the same as indexer acknowledgement used to protect in-flight data
• C. It can be enabled at the global setting level
• D. It stores status information on the Splunk server

The CLI command splunk add forward-server indexer:<receiving-port> will create stanza(s) in which configuration file?

• A. inputs.conf
• B. indexes.conf
• C. outputs.conf
• D. servers.conf

Which of the following is a benefit of distributed search?

• A. Peers run search in sequence
• B. Peers run search in parallel
• C. Resilience from indexer failure
• D. Resilience from search head failure

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

• A. token-based HTTP input that is secure and scalable and that requires the use of forwarders
• B. token-based HTTP input that is secure and scalable and that does not require the use of forwarders
• C. An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders
• D. token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders

Where should apps be located on the deployment server that the clients pull from?

• A. $SPLUNK_HOME/etc/apps
• B. $SPLUNK_HOME/etc/search
• C. $SPLUNK_HOME/etc/master-apps
• D. $SPLUNK_HOME/etc/deployment-apps

Where are deployment server apps mapped to clients?

• A. Apps tab in forwarder management interface or clientapps.conf.
• B. Clients tab in forwarder management interface or deploymentclient.conf.
• C. Server Classes tab in forwarder management interface or serverclass.conf.
• D. Client Applications tab in forwarder management interface or clientapps.conf.

There is a file with a vast amount of old data. Which of the following inputs. conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?

• A. followTail
• B. ignoreOlderThan
• C. monitor
• D. allowList

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint information for that file?

• A. _audit
• B. _checkpoint
• C. _introspection
• D. _thefishbucket

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

• A. Slash notation
• B. Regular expression
• C. Irregular expression
• D. Wildcard-only expression

Load balancing on a Universal Forwarder is not scaling correctly. The forwarder’s outputs.conf and the tcpout stanza are setup correctly. What else could be the cause of this scaling issue? (Choose all that apply.)

• A. The indexAndForward value is not set properly
• B. The DNS record used is not setup with a valid list of IP addresses
• C. The inputs.conf’s _SYSLOG_ROUTING is not setup to use the right group names
• D. The receiving port is not properly setup to listen on the right port

What is the difference between the two wildcards ... and * for the monitor stanza in inputs.conf?

• A. is not supported in monitor stanzas
• B. There is no difference, they are interchangeable and match anything beyond directory boundaries
• C. * matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well
• D. matches anything in that specific directory path segment, whereas * recurses through subdirectories as well

When running the command shown below, what is the default path in which deploymentserver.conf is created? splunk set deploy-poll deployServer:port

• A. SPLUNK_HOME/etc/deployment
• B. SPLUNK_HOME/etc/system/local
• C. SPLUNK_HOME/etc/system/default
• D. SPLUNK_HOME/etc/apps/deployment

Which forwarder type can parse data prior to forwarding?

• A. Universal forwarder
• B. Heaviest forwarder
• C. Hyper forwarder
• D. Heavy forwarder