Splunk splk-1003 practice test

Splunk Enterprise Certified Admin Exam


Question 1

Which data pipeline phase is the last opportunity for defining event boundaries?

  • A. Input phase
  • B. Indexing phase
  • C. Parsing phase
  • D. Search phase
Answer:

C

Explanation:
Reference
https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatap
ipeline

Discussions

Question 2

Which of the following Splunk components require a separate installation package?

  • A. Deployment server
  • B. License master
  • C. Universal forwarder
  • D. Heavy forwarder
Answer:

C

Explanation:
Reference:
https://github.com/packetiq/SplunkArchitect/blob/master/Install-and-Configure-Splunk-
Enterprise-Components.md

Discussions

Question 3

Which forwarder is recommended by Splunk to use in a production environment?

  • A. Heavy forwarder
  • B. SSL forwarder
  • C. Lightweight forwarder
  • D. Universal forwarder
Answer:

D

Explanation:
Reference:
https://community.splunk.com/t5/Getting-Data-In/Splunk-forwarder/m-p/18009

Discussions

Question 4

An add-on has configured field aliases for source IP address and destination IP address fields. A
specific user prefers not to have those fields present in their user context. Based on the default
props.conf below, which SPLUNK_HOME/etc/users/buttercup/myTA/local/props.conf stanza can be
added to the users local context to disable the field aliases?


  • A. Option A
  • B. Option B
  • C. Option C
  • D. Option D
Answer:

B

Discussions

Question 5

When using license pools, volume allocations apply to which Splunk components?

  • A. Indexers
  • B. Indexes
  • C. Heavy Forwarders
  • D. Search Heads
Answer:

A

Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Groups,stacks,pools,andothertermino
logy

Discussions

Question 6

When using a directory monitor input, specific source type can be selectively overridden using which
configuration file?

  • A. props.conf
  • B. sourcetypes.conf
  • C. transforms.conf
  • D. outputs.conf
Answer:

A

Explanation:
Reference:
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Bypassautomaticsourcetypeassig
nment

Discussions

Question 7

A new forwarder has been installed with a manually created deploymentclient.conf.
What is the next step to enable the communication between the forwarder and the deployment
server?

  • A. Restart Splunk on the deployment server.
  • B. Enable the deployment client in Splunk Web under Forwarder Management.
  • C. Restart Splunk on the deployment client.
  • D. Wait for up to the time set in the phoneHomeIntervalInSecs setting.
Answer:

A

Explanation:
Reference:
https://docs.splunk.com/Documentation/Forwarder/8.2.3/Forwarder/Configuretheuniversalforward
er

Discussions

Question 8

Which network input option provides durable file-system buffering of data to mitigate data loss due
to network outages and splunkd restarts?

  • A. diskQueueSize
  • B. durableQueueSize C persistentOueueSize
  • D. queueSize
Answer:

C

Explanation:
Reference:
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2111/Data/Usepersistentqueues

Discussions

Question 9

Which of the following are reasons to create separate indexes? (Choose all that apply.)

  • A. Different retention times.
  • B. Increase number of users.
  • C. Restrict user permissions.
  • D. File organization.
Answer:

AD

Explanation:
Reference:
https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-have-multiple-
indexes/m-p/12063

Discussions

Question 10

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the
wait queue on this universal forwarder?

  • A. 21MB
  • B. 28MB
  • C. 14MB
  • D. 7MB
Answer:

A

Explanation:
Reference:
https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Protectagainstlossofin-
flightdata

Discussions
To page 2