Splunk splk-1003 practice test
Splunk Enterprise Certified Admin Exam
Last exam update: Apr 19 ,2024
Question 1
Which data pipeline phase is the last opportunity for defining event boundaries?
- A. Input phase
- B. Indexing phase
- C. Parsing phase
- D. Search phase
Answer:
C
Explanation:
Reference
https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatap
ipeline
Question 2
Which of the following Splunk components require a separate installation package?
- A. Deployment server
- B. License master
- C. Universal forwarder
- D. Heavy forwarder
Answer:
C
Explanation:
Reference:
https://github.com/packetiq/SplunkArchitect/blob/master/Install-and-Configure-Splunk-
Enterprise-Components.md
Question 3
Which forwarder is recommended by Splunk to use in a production environment?
- A. Heavy forwarder
- B. SSL forwarder
- C. Lightweight forwarder
- D. Universal forwarder
Answer:
D
Explanation:
Reference:
https://community.splunk.com/t5/Getting-Data-In/Splunk-forwarder/m-p/18009
Question 4
An add-on has configured field aliases for source IP address and destination IP address fields. A
specific user prefers not to have those fields present in their user context. Based on the default
props.conf below, which SPLUNK_HOME/etc/users/buttercup/myTA/local/props.conf stanza can be
added to the users local context to disable the field aliases?
- A. Option A
- B. Option B
- C. Option C
- D. Option D
Answer:
B
Question 5
When using license pools, volume allocations apply to which Splunk components?
- A. Indexers
- B. Indexes
- C. Heavy Forwarders
- D. Search Heads
Answer:
A
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Groups,stacks,pools,andothertermino
logy
Question 6
When using a directory monitor input, specific source type can be selectively overridden using which
configuration file?
- A. props.conf
- B. sourcetypes.conf
- C. transforms.conf
- D. outputs.conf
Answer:
A
Explanation:
Reference:
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Bypassautomaticsourcetypeassig
nment
Question 7
A new forwarder has been installed with a manually created deploymentclient.conf.
What is the next step to enable the communication between the forwarder and the deployment
server?
- A. Restart Splunk on the deployment server.
- B. Enable the deployment client in Splunk Web under Forwarder Management.
- C. Restart Splunk on the deployment client.
- D. Wait for up to the time set in the phoneHomeIntervalInSecs setting.
Answer:
A
Explanation:
Reference:
https://docs.splunk.com/Documentation/Forwarder/8.2.3/Forwarder/Configuretheuniversalforward
er
Question 8
Which network input option provides durable file-system buffering of data to mitigate data loss due
to network outages and splunkd restarts?
- A. diskQueueSize
- B. durableQueueSize C persistentOueueSize
- D. queueSize
Answer:
C
Explanation:
Reference:
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2111/Data/Usepersistentqueues
Question 9
Which of the following are reasons to create separate indexes? (Choose all that apply.)
- A. Different retention times.
- B. Increase number of users.
- C. Restrict user permissions.
- D. File organization.
Answer:
AD
Explanation:
Reference:
https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-have-multiple-
indexes/m-p/12063
Question 10
In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the
wait queue on this universal forwarder?
- A. 21MB
- B. 28MB
- C. 14MB
- D. 7MB
Answer:
A
Explanation:
Reference:
https://docs.splunk.com/Documentation/SplunkCloud/latest/Forwarding/Protectagainstlossofin-
flightdata
Question 11
Which setting allows the configuration of Splunk to allow events to span over more than one line?
- A. SHOULD_LINEMERGE = true
- B. BREAK_ONLY_BEFORE_DATE = true
- C. BREAK_ONLY_BEFORE = <REGEX pattern>
- D. SHOULD_LINEMERGE = false
Answer:
C
Explanation:
Reference:
https://docs.splunk.com/Documentation/SplunkCloud/latest/Data/Configureeventlinebreaking
Question 12
What is the command to reset the fishbucket for one source?
- A. rm -r ~/splunkforwarder/var/lib/splunk/fishbucket
- B. splunk clean eventdata -index _thefishbucket
- C. splunk cmd btprobe -d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file <source> --reset
- D. splunk btool fishbucket reset <source>
Answer:
C
Explanation:
Reference:
https://community.splunk.com/t5/Getting-Data-In/How-can-I-trigger-the-re-indexing-of-
a-single-file/m-p/108568
Question 13
In addition to single, non-clustered Splunk instances, what else can the deployment server push apps
to?
- A. Universal forwarders
- B. Splunk Cloud
- C. Linux package managers
- D. Windows using WMI
Answer:
A
Explanation:
Reference:
https://community.splunk.com/t5/Deployment-Architecture/Push-apps-from-
deployment-server-automatically-to-universal/m-p/328191
Question 14
All search-time field extractions should be specified on which Splunk component?
- A. Deployment server
- B. Universal forwarder
- C. Indexer
- D. Search head
Answer:
C
Explanation:
Reference:
https://github.com/packetiq/SplunkArchitect/blob/master/README/props.conf.spec
Question 15
Which artifact is required in the request header when creating an HTTP event?
- A. ackID
- B. Token
- C. Manifest
- D. Host name
Answer:
B
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/FormateventsforHTTPEventCollector