Splunk splk-1003 practice test
Splunk Enterprise Certified Admin Exam
Question 1
Which setting in indexes. conf allows data retention to be controlled by time?
- A. maxDaysToKeep
- B. moveToFrozenAfter
- C. maxDataRetentionTime
- D. frozenTimePeriodlnSecs
Answer:
D
Explanation:
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setaretirementandarchivingpolicy
Question 2
The universal forwarder has which capabilities when sending data? (select all that apply)
- A. Sending alerts
- B. Compressing data
- C. Obfuscating/hiding data
- D. Indexer acknowledgement
Answer:
BD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdat
a
https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutp
uts.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%
20data
.
Question 3
In case of a conflict between a whitelist and a blacklist input setting, which one is used?
- A. Blacklist
- B. Whitelist
- C. They cancel each other out.
- D. Whichever is entered into the configuration first.
Answer:
A
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdat
a
"It is not necessary to define both an allow list and a deny list in a configuration stanza. The settings
are independent. If you do define both filters and a file matches them both, Splunk Enterprise does
not index that file, as the blacklist filter overrides the whitelist filter." Source:
https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Whitelistorblacklistspecificincomingdat
a
Question 4
In which Splunk configuration is the SEDCMD used?
- A. props, conf
- B. inputs.conf
- C. indexes.conf
- D. transforms.conf
Answer:
A
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-
partysystemsd
"You can specify a SEDCMD configuration in props.conf to address data that contains characters that
the third-party server cannot process. "
Question 5
Which of the following are supported configuration methods to add inputs on a forwarder? (select all
that apply)
- A. CLI
- B. Edit inputs . conf
- C. Edit forwarder.conf
- D. Forwarder Management
Answer:
ABD
Explanation:
https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/HowtoforwarddatatoSplunkEn
terprise
"You can collect data on the universal forwarder using several methods. Define inputs on the
universal forwarder with the CLI. You can use the CLI to define inputs on the universal forwarder.
After you define the inputs, the universal forwarder collects data based on those definitions as long
as it has access to the data that you want to monitor. Define inputs on the universal forwarder with
configuration files. If the input you want to configure does not have a CLI argument for it, you can
configure inputs with configuration files. Create an inputs.conf file in the directory,
$SPLUNK_HOME/etc/system/local
Question 6
Which parent directory contains the configuration files in Splunk?
- A. SSFLUNK_HOME/etc
- B. SSPLUNK_HOME/var
- C. SSPLUNK_HOME/conf
- D. SSPLUNK_HOME/default
Answer:
A
Explanation:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories
Section titled, Configuration file directories, states "A detailed list of settings for each configuration
file is provided in the .spec file names for that configuration file. You can find the latest version of the
.spec and .example files in the $SPLUNK_HOME/etc system/README folder of your Splunk Enterprise
installation..."
Question 7
Which forwarder type can parse data prior to forwarding?
- A. Universal forwarder
- B. Heaviest forwarder
- C. Hyper forwarder
- D. Heavy forwarder
Answer:
D
Explanation:
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Typesofforwarders
"A heavy forwarder parses data before forwarding it and can route data based on criteria such as
source or type of event."
Question 8
Which Splunk component consolidates the individual results and prepares reports in a distributed
environment?
- A. Indexers
- B. Forwarder
- C. Search head
- D. Search peers
Answer:
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/Howuserscancontroldistributedse
arches
"From the user standpoint, specifying and running a distributed search is essentially the same as
running any other search. Behind the scenes, the search head distributes the query to its search
peers, and consolidates the results when presenting them to the user."
Question 9
Which Splunk component distributes apps and certain other configuration updates to search head
cluster members?
- A. Deployer
- B. Cluster master
- C. Deployment server
- D. Search head cluster master
Answer:
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations
First line
says it all: "The deployment server distributes deployment apps to clients."
Question 10
Where should apps be located on the deployment server that the clients pull from?
- A. $SFLUNK_KOME/etc/apps
- B. $SPLUNK_HCME/etc/sear:ch
- C. $SPLUNK_HCME/etc/master-apps
- D. $SPLUNK HCME/etc/deployment-apps
Answer:
D
Explanation:
After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients.
But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.
Question 11
This file has been manually created on a universal forwarder
A new Splunk admin comes in and connects the universal forwarders to a deployment server and
deploys the same app with a new
Which file is now monitored?
- A. /var/log/messages
- B. /var/log/maillog
- C. /var/log/maillog and /var/log/messages
- D. none of the above
Answer:
B
Question 12
In which phase of the index time process does the license metering occur?
- A. input phase
- B. Parsing phase
- C. Indexing phase
- D. Licensing phase
Answer:
C
Explanation:
"When ingesting event data, the measured data volume is based on the new raw data that is placed
into the indexing pipeline. Because the data is measured at the indexing pipeline, data that is
filetered and dropped prior to indexing does not count against the license volume qota."
https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks
Question 13
You update a props. conf file while Splunk is running. You do not restart Splunk and you run this
command: splunk btoo1 props list debug. What will the output be?
- A. list of all the configurations on-disk that Splunk contains.
- B. A verbose list of all configurations as they were when splunkd started.
- C. A list of props. conf configurations as they are on-disk along with a file path from which the configuration is located
- D. A list of the current running props, conf configurations along with a file path from which the configuration was made
Answer:
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootcon
figurations
"The btool command simulates the merging process using the on-disk conf files and creates a report
showing the merged settings."
"The report does not necessarily represent what's loaded in memory. If a conf file change is made
that requires a service restart, the btool report shows the change even though that change isn't
active."
Question 14
When running the command shown below, what is the default path in which deployment server.
conf is created?
splunk set deploy-poll deployServer:port
- A. SFLUNK_HOME/etc/deployment
- B. SPLUNK_HOME/etc/system/local
- C. SPLUNK_HOME/etc/system/default
- D. SPLUNK_KOME/etc/apps/deployment
Answer:
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.1.1/Updating/Definedeploymentclasses#Ways_t
o_define_server_classes
"When you use forwarder management to create a new server class, it
saves
the
server
class
definition
in
a
copy
of
serverclass.conf
under
$SPLUNK_HOME/etc/system/local. If, instead of using forwarder management, you decide to directly
edit serverclass.conf, it is recommended that you create the serverclass.conf file in that same
directory, $SPLUNK_HOME/etc/system/local."
Question 15
The priority of layered Splunk configuration files depends on the file's:
- A. Owner
- B. Weight
- C. Context
- D. Creation time
Answer:
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles
"To determine the order of directories for evaluating configuration file precendence, Splunk software
considers each file's context. Configuration files operate in either a global context or in the context of
the current app and user"