Splunk Splunk Certifications SPLK-1003 Questions & Answers

• Question 1:

  Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

  A. props.conf

  B. inputs.conf

  C. outputs.conf

  D. collections.conf

  Correct Answer: C

  https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata Per the provided Splunk reference URL by @hwangho, scroll to section Forward search head data, subsection titled, 2. Configure the search head as a forwarder. "Create an outputs.conf file on the search head that configures the search head for load-balanced forwarding across the set of search peers (indexers)."

  Reference: https://community.splunk.com/t5/Getting-Data-In/How-to-configure-search-head-to-forwardinternal-data-to-the/td-p/111658

• Question 2:

  On the deployment server, administrators can map clients to server classes using client filters. Which of the following statements is accurate?

  A. The blacklist takes precedence over the whitelist.

  B. The whitelist takes precedence over the blacklist.

  C. Wildcards are not supported in any client filters.

  D. Machine type filters are applied before the whitelist and blacklist.

  Correct Answer: A

  Reference: https://community.splunk.com/t5/Getting-Data-In/Can-I-use-both-the-whitelist-AND-blacklist-forthe-same/td-p/390910

• Question 3:

  Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)

  A. inputs.conf

  B. monitor.conf

  C. outputs.conf

  D. forwarder.conf

  Correct Answer: AC

  Reference:

  https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/ Configuretheuniversalforwarder

• Question 4:

  The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require multiple indexers.

  Following best practices, which types of Splunk component instances are needed?

  A. Indexers, search head, universal forwarders, license master

  B. Indexers, search head, deployment server, universal forwarders

  C. Indexers, search head, deployment server, license master, universal forwarder

  D. Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder

  Correct Answer: C

• Question 5:

  How can native authentication be disabled in Splunk?

  A. Remove the $SPLUNK_HOME/etc/passwd file

  B. Create an empty $SPLUNK_HOME/etc/passwd file

  C. Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf

  D. Set nativeAuthentication=false in authentication.conf

  Correct Answer: B

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Secureyouradminaccount

• Question 6:

  If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component would the fishbucket need to be reset in order to reindex the data?

  A. Indexer

  B. Forwarder

  C. Search head

  D. Deployment server

  Correct Answer: A

  "Every Splunk instance has a fishbucket index, except the lightest of hand-tuned lightweight forwarders, and if you index a lot of files it can get quite large. As any other index, you can change the retention policy to control the size via indexes.conf"

  Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-p/93310

• Question 7:

  Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is cleaned and now the data must be reindexed.

  What other index must be cleaned to reset the input checkpoint information for that file?

  A. _audit

  B. _checkpoint

  C. _introspection

  D. _thefishbucket

  Correct Answer: D

  reset Reset the fishbucket for the given key or file in the btree. Resetting the checkpoint for an active monitor input reindexes data, resulting in increased license use.

  https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/CommandlinetoolsforusewithSupport Reference: http://docshare02.docshare.tips/files/4773/47733589.pdf

• Question 8:

  Which is a valid stanza for a network input?

  A. [udp://172.16.10.1:9997] connection = dns sourcetype = dns

  B. [any://172.16.10.1:10001] connection_host = ip sourcetype = web

  C. [tcp://172.16.10.1:9997] connection_host = web sourcetype = web

  D. [tcp://172.16.10.1:10001] connection_host = dns sourcetype = dns

  Correct Answer: D

• Question 9:

  Which additional component is required for a search head cluster?

  A. Deployer

  B. Cluster Master

  C. Monitoring Console

  D. Management Console

  Correct Answer: A

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/SHCdeploymentoverview

  The deployer. This is a Splunk Enterprise instance that distributes apps and other configurations to the cluster members. It stands outside the cluster and cannot run on the same instance as a cluster member. It can, however, under some circumstances, reside on the same instance as other Splunk Enterprise components, such as a deployment server or an indexer cluster master node.tSearch/SHCdeploymentoverview

• Question 10:

  When are knowledge bundles distributed to search peers?

  A. After a user logs in.

  B. When Splunk is restarted.

  C. When adding a new search peer.

  D. When a distributed search is initiated.

  Correct Answer: D

  "The search head replicates the knowledge bundle periodically in the background or when initiating a search. " "As part of the distributed search process, the search head replicates and distributes its knowledge objects to its search peers, or indexers. Knowledge objects include saved searches, event types, and other entities used in searching accorss indexes. The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf."

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/Whatsearchheadssend