Splunk splk-1003 practice test

Splunk Enterprise Certified Admin Exam

Last exam update: Aug 11 ,2025
Page 1 out of 10. Viewing questions 1-15 out of 138

Question 1

Which data pipeline phase is the last opportunity for defining event boundaries?

  • A. Input phase
  • B. Indexing phase
  • C. Parsing phase
  • D. Search phase
Mark Question:
Answer:

C


Explanation:
Reference
https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatap
ipeline

User Votes:
A
50%
B 1 votes
50%
C 4 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
xeber
9 months, 2 weeks ago

my answer is C

0

Question 2

Which of the following Splunk components require a separate installation package?

  • A. Deployment server
  • B. License master
  • C. Universal forwarder
  • D. Heavy forwarder
Mark Question:
Answer:

C


Explanation:
Reference:
https://github.com/packetiq/SplunkArchitect/blob/master/Install-and-Configure-Splunk-
Enterprise-Components.md

User Votes:
A
50%
B
50%
C 4 votes
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
xeber
9 months, 2 weeks ago

my answer is C

0

Question 3

Which forwarder is recommended by Splunk to use in a production environment?

  • A. Heavy forwarder
  • B. SSL forwarder
  • C. Lightweight forwarder
  • D. Universal forwarder
Mark Question:
Answer:

D


Explanation:
Reference:
https://community.splunk.com/t5/Getting-Data-In/Splunk-forwarder/m-p/18009

User Votes:
A 2 votes
50%
B
50%
C
50%
D 2 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
xeber
9 months, 2 weeks ago

my answer is A

0

Question 4

An add-on has configured field aliases for source IP address and destination IP address fields. A
specific user prefers not to have those fields present in their user context. Based on the default
props.conf below, which SPLUNK_HOME/etc/users/buttercup/myTA/local/props.conf stanza can be
added to the users local context to disable the field aliases?


  • A. Option A
  • B. Option B
  • C. Option C
  • D. Option D
Mark Question:
Answer:

B


User Votes:
A
50%
B 2 votes
50%
C
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
xeber
9 months, 2 weeks ago

my answer is B

0

Question 5

When using license pools, volume allocations apply to which Splunk components?

  • A. Indexers
  • B. Indexes
  • C. Heavy Forwarders
  • D. Search Heads
Mark Question:
Answer:

A


Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Groups,stacks,pools,andothertermino
logy

User Votes:
A 4 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
xeber
9 months, 2 weeks ago

my answer is A

0

Question 6

When using a directory monitor input, specific source type can be selectively overridden using which
configuration file?

  • A. props.conf
  • B. sourcetypes.conf
  • C. transforms.conf
  • D. outputs.conf
Mark Question:
Answer:

A


Explanation:
Reference:
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Bypassautomaticsourcetypeassig
nment

User Votes:
A 2 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
xeber
9 months, 2 weeks ago

my answer is A

0

Question 7

A new forwarder has been installed with a manually created deploymentclient.conf.
What is the next step to enable the communication between the forwarder and the deployment
server?

  • A. Restart Splunk on the deployment server.
  • B. Enable the deployment client in Splunk Web under Forwarder Management.
  • C. Restart Splunk on the deployment client.
  • D. Wait for up to the time set in the phoneHomeIntervalInSecs setting.
Mark Question:
Answer:

A


Explanation:
Reference:
https://docs.splunk.com/Documentation/Forwarder/8.2.3/Forwarder/Configuretheuniversalforward
er

User Votes:
A 1 votes
50%
B 1 votes
50%
C 2 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
francesco.brizzi
1 month, 1 week ago

C . You need to run the "splunk restart" command in the command prompt (CMD) or terminal on the host where the Splunk forwarder is installed. This will restart the Splunk forwarder service on that host and apply any changes made in the configuration files, such as deploymentclient.conf.

0

Question 8

Which network input option provides durable file-system buffering of data to mitigate data loss due
to network outages and splunkd restarts?

  • A. diskQueueSize
  • B. durableQueueSize C persistentOueueSize
  • D. queueSize
Mark Question:
Answer:

C


Explanation:
Reference:
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2111/Data/Usepersistentqueues

User Votes:
A
50%
B
50%
D
50%
Discussions
vote your answer:
A
B
D
0 / 1000
francesco.brizzi
1 month, 1 week ago

vote for C

0

Question 9

Which of the following are reasons to create separate indexes? (Choose all that apply.)

  • A. Different retention times.
  • B. Increase number of users.
  • C. Restrict user permissions.
  • D. File organization.
Mark Question:
Answer:

AD


Explanation:
Reference:
https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-have-multiple-
indexes/m-p/12063

User Votes:
A
50%
B 1 votes
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 10

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the
wait queue on this universal forwarder?

  • A. 21MB
  • B. 28MB
  • C. 14MB
  • D. 7MB
Mark Question:
Answer:

A


Explanation:
Reference:
https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Protectagainstlossofin-
flightdata

User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 11

Which setting allows the configuration of Splunk to allow events to span over more than one line?

  • A. SHOULD_LINEMERGE = true
  • B. BREAK_ONLY_BEFORE_DATE = true
  • C. BREAK_ONLY_BEFORE = <REGEX pattern>
  • D. SHOULD_LINEMERGE = false
Mark Question:
Answer:

C


Explanation:
Reference:
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Configureeventlinebreaking

User Votes:
A 1 votes
50%
B
50%
C
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 12

What is the command to reset the fishbucket for one source?

  • A. rm -r ~/splunkforwarder/var/lib/splunk/fishbucket
  • B. splunk clean eventdata -index _thefishbucket
  • C. splunk cmd btprobe -d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file <source> --reset
  • D. splunk btool fishbucket reset <source>
Mark Question:
Answer:

C


Explanation:
Reference:
https://community.splunk.com/t5/Getting-Data-In/How-can-I-trigger-the-re-indexing-of-
a-single-file/m-p/108568

User Votes:
A
50%
B
50%
C 1 votes
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 13

In addition to single, non-clustered Splunk instances, what else can the deployment server push apps
to?

  • A. Universal forwarders
  • B. Splunk Cloud
  • C. Linux package managers
  • D. Windows using WMI
Mark Question:
Answer:

A


Explanation:
Reference:
https://community.splunk.com/t5/Deployment-Architecture/Push-apps-from-
deployment-server-automatically-to-universal/m-p/328191

User Votes:
A 1 votes
50%
B
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000

Question 14

All search-time field extractions should be specified on which Splunk component?

  • A. Deployment server
  • B. Universal forwarder
  • C. Indexer
  • D. Search head
Mark Question:
Answer:

C


Explanation:
Reference:
https://github.com/packetiq/SplunkArchitect/blob/master/README/props.conf.spec

User Votes:
A
50%
B
50%
C
50%
D 1 votes
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
francesco.brizzi
1 month, 1 week ago

in search-time D. Search head

0

Question 15

Which artifact is required in the request header when creating an HTTP event?

  • A. ackID
  • B. Token
  • C. Manifest
  • D. Host name
Mark Question:
Answer:

B


Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/FormateventsforHTTPEventCollector

User Votes:
A
50%
B 1 votes
50%
C
50%
D
50%
Discussions
vote your answer:
A
B
C
D
0 / 1000
To page 2