Splunk SPLK-1003 Online Practice Questions and Exam Preparation

Splunk SPLK-1003 Online Questions & Answers

• Question 111:

  Which Splunk forwarder has a built-in license?

  A. Light forwarder
  B. Heavy forwarder
  C. Universal forwarder
  D. Cloud forwarder
  C. Universal forwarder

  ---

  Explanation/Reference:

  Reference:https://community.splunk.com/t5/Getting-Data-In/Do-we-need-a-license-for-Heavy-forwarder/m-p/210451

• Question 112:

  Which of the following are reasons to create separate indexes? (Choose all that apply.)

  A. Different retention times.
  B. Increase number of users.
  C. Restrict user permissions.
  D. File organization.
  A. Different retention times.
  C. Restrict user permissions.

  ---

  Explanation/Reference:

  Reference:https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-have- multiple-indexes/m-p/12063

  Different retention times: You can set different retention policies for different indexes, depending on how long you want to keep the data. For example, you can have an index for security data that has a longer retention time than an index for performance data that has a shorter retention time.

  Restrict user permissions: You can set different access permissions for different indexes, depending on who needs to see the data. For example, you can have an index for sensitive data that is only accessible by certain users or roles, and an index for public data that is accessible by everyone.

• Question 113:

  Which of the following enables compression for universal forwarders in outputs. conf ?

  

  A. Option A
  B. Option B
  C. Option C
  D. Option D
  B. Option B

  ---

  Explanation/Reference:

  https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

  # Compression # # This example sends compressed events to the remote indexer. # NOTE: Compression can be enabled TCP or SSL outputs only. # The receiver input port should also have compression enabled. [tcpout] server = splunkServer.example.com:4433 compressed = true

• Question 114:

  What happens when there are conflicting settings within two or more configuration files?

  A. The setting is ignored until conflict is resolved.
  B. The setting for both values will be used together.
  C. The setting with the lowest precedence is used.
  D. The setting with the highest precedence is used.
  D. The setting with the highest precedence is used.

  ---

  Explanation/Reference:

  When there are conflicting settings within two or more configuration files, the setting with the highest precedence is used. The precedence of configuration files is determined by a combination of the file type, the directory location, and the alphabetical order of the file names.

• Question 115:

  Which of the following must be done to define user permissions when integrating Splunk with LDAP?

  A. Map Users
  B. Map Groups
  C. Map LDAP Inheritance
  D. Map LDAP to Active Directory
  B. Map Groups

  ---

  Explanation/Reference:

  https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb "You can map either users or groups, but not both. If you are using groups, all users must be members of an appropriate group. Groups inherit capabilities form the highest level role they're a member of." "If your LDAP environment does not have group entries, you can treat each user as its own group."

  Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/ConfigureLDAPwithSplunkWeb

• Question 116:

  Which of the following describes a Splunk deployment server?

  A. A Splunk Forwarder that deploys data to multiple indexers.
  B. A Splunk app installed on a Splunk Enterprise server.
  C. A Splunk Enterprise server that distributes apps.
  D. A server that automates the deployment of Splunk Enterprise to remote servers.
  C. A Splunk Enterprise server that distributes apps.

  ---

  Explanation/Reference:

  A Splunk deployment server is a system that distributes apps, configurations, and other assets to groups of Splunk Enterprise instances. You can use it to distribute updates to most types of Splunk Enterprise components: forwarders, non-

  clustered indexers, and search heads.

  A Splunk deployment server is available on every full Splunk Enterprise instance. To use it, you must activate it by placing at least one app into %SPLUNK_HOME%\etc\deployment-apps on the host you want to act as deployment server. A

  Splunk deployment server maintains the list of server classes and uses those server classes to determine what content to distribute to each client. A server class is a group of deployment clients that share one or more defined characteristics.

  A Splunk deployment client is a Splunk instance remotely configured by a deployment server. Deployment clients can be universal forwarders, heavy forwarders, indexers, or search heads. Each deployment client belongs to one or more

  server classes.

  A Splunk deployment app is a set of content (including configuration files) maintained on the deployment server and deployed as a unit to clients of a server class. A deployment app can be an existing Splunk Enterprise app or one developed

  solely to group some content for deployment purposes. Therefore, option C is correct, and the other options are incorrect.

• Question 117:

  When should the Data Preview feature be used?

  A. When extracting fields for ingested data.
  B. When previewing the data before searching.
  C. When reviewing data on the source host.
  D. When validating the parsing of data.
  D. When validating the parsing of data.

  ---

  Explanation/Reference:

  The Data Preview feature should be used when validating the parsing of data. The Data Preview feature allows you to preview how Splunk software will index your data before you commit the data to an index.You can use the Data Preview

  feature to check the following aspects of data parsing1:

  Timestamp recognition: You can verify that Splunk software correctly identifies the timestamps of your events and assigns them to the _time field. Event breaking: You can verify that Splunk software correctly breaks your data stream into

  individual events based on the line breaker and should linemerge settings.

  Source type assignment: You can verify that Splunk software correctly assigns a source type to your data based on the props.conf file settings. You can also manually override the source type if needed. Field extraction: You can verify that

  Splunk software correctly extracts fields from your events based on the transforms.conf file settings. You can also use the Interactive Field Extractor (IFX) to create custom field extractions. The Data Preview feature is available in Splunk Web

  under Settings > Data inputs > Data preview.You can access the Data Preview feature when you add a new input or edit an existing input1.

  The other options are incorrect because:

  A. When extracting fields for ingested data. The Data Preview feature can be used to verify the field extraction for data that has not been ingested yet, but not for data that has already been indexed.To extract fields from ingested data, you can use the IFX or the rex command in the Search app2.

  B. When previewing the data before searching. The Data Preview feature does not allow you to search the data, but only to view how it will be indexed. To preview thedata before searching, you can use the Search app and specify a time range or a sample ratio.

  C. When reviewing data on the source host. The Data Preview feature does not access the data on the source host, but only the data that has been uploaded or monitored by Splunk software. To review data on the source host, you can use the Splunk Universal Forwarder or the Splunk Add-on for Unix and Linux.

• Question 118:

  In a distributed environment, which Splunk component is used to distribute apps and configurations to the other Splunk instances?

  A. Indexer
  B. Deployer
  C. Forwarder
  D. Deployment server
  D. Deployment server

  ---

  Explanation/Reference:

  The deployer is a Splunk Enterprise instance that you use to distribute apps and certain other configuration updates to search head cluster members. The set of updates that the deployer distributes is called the configuration bundle.

• Question 119:

  Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

  A. LDAP
  B. SAML
  C. RADIUS
  D. Duo Multifactor Authentication
  A. LDAP
  B. SAML
  C. RADIUS

  ---

  Explanation/Reference:

  Reference:https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Setupuserauthent icationwithSplunk

  Splunk authentication: Provides Admin, Power and User by default, and you can define your own roles using a list of capabilities. If you have an Enterprise license, Splunk authentication is enabled by default. See Set up user authentication with Splunk's built-in system for more information. LDAP: Splunk Enterprise supports authentication with its internal authentication services or your existing LDAP server. See Set up user authentication with LDAP for more information. Scripted authentication API: Use scripted authentication to integrate Splunk authentication with an external authentication system, such as RADIUS or PAM. See Set up user authentication with external systems for more information. Note: Authentication, including native authentication, LDAP, and scripted authentication, is not available in Splunk Free.

• Question 120:

  Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

  A. Deployer
  B. Cluster master
  C. Deployment server
  D. Search head cluster master
  C. Deployment server

  ---

  Explanation/Reference:

  https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: "The deployment server distributes deployment apps to clients."