Free SPLK-1005 Sample Questions — Splunk Cloud Certified Admin

In case of a Change Request, which of the following should submit a support case for Splunk Support?

• A. The party requesting the change
• B. Certified Splunk Cloud administrator
• C. Splunk infrastructure owner
• D. Any person with the appropriate entitlement

Which of the following files is used for both search-time and index-time configuration?

• A. inputs.conf
• B. props.conf
• C. macros.conf
• D. savedsearch.conf

Windows input types are collected in Splunk via a script which is configurable using the GUI. What is this type of input called?

• A. Batch
• B. Scripted
• C. Modular
• D. Front-end

When is data deleted from a Splunk Cloud index?

• A. When buckets roll to frozen, without a defined archive
• B. When data is deleted via the Splunk Cloud Admin GUI
• C. When TA_Delete is downloaded and enabled from SplunkBase
• D. When the deleteindex command is executed from the CLI

Where does the regex-replacement processor run?

• A. Merging pipeline
• B. Typing pipeline
• C. Index pipeline
• D. Parsing pipeline

In what scenarios would transforms.conf be used?

• A. Per-Event Index Routing, Applying Event Types, SEDCMD operations
• B. Per-Event Sourcetype, Per-Event Host Name, Per-Event Index Routing
• C. Per-Event Host Name, Per-Event Index Routing, SEDCMD operations
• D. Per-Event Sourcetype, Per-Event Index Routing, Applying Event Types

Which of the following methods is valid for creating index-time field extractions?

• A. Use the UI to create a sourcetype, specify the field name and corresponding regular expression with capture statement
• B. Create a configuration app with the index-time props.conf and/or transforms.conf, and upload the app via UI
• C. Use the CLI app to define settings in fields.conf, and restart Splunk Cloud
• D. Use the rex command to extract the desired field, and then save as a calculated field

Which of the following is correct in regard to configuring a Universal Forwarder as an Intermediate Forwarder?

• A. This can only be turned on using the Settings > Forwarding and Receiving menu in Splunk Web/UI
• B. The configuration changes can be made using Splunk Web, CLI, directly in configuration files, or via a deployment app
• C. The configuration changes can be made using CLI, directly in configuration files, or via a deployment app
• D. It is only possible to make this change directly in configuration files or via a deployment app

A monitor has been created in inputs.conf for a directory that contains a mix of file types. How would a Cloud Admin fine-tune assigned sourcetypes for different files in the directory during the input phase?

• A. On the Indexer parsing the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza
• B. On the forwarder collecting the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza
• C. On the Indexer parsing the data, set multiple sourcetype_source attributes for the directory monitor collecting the files. Then create a props.conf that filters out unwanted files
• D. On the forwarder collecting the data, set multiple sourcetype_source attributes for the directory monitor collecting the files. Then create a props.conf that filters out unwanted files

What is the recommended method to test the onboarding of a new data source before putting it in production?

• A. Send test data to a test index
• B. Send data to the associated production index
• C. Replicate Splunk deployment in a test environment
• D. Send data to lastchanceindex