Splunk Splunk Certifications SPLK-1003 Questions & Answers

• Question 41:

  Which of the following enables compression for universal forwarders in outputs. conf ? A)

  

  B)

  

  C)

  

  D)

  

  A. Option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: B

  https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

  # Compression # # This example sends compressed events to the remote indexer. # NOTE: Compression can be enabled TCP or SSL outputs only. # The receiver input port should also have compression enabled. [tcpout] server = splunkServer.example.com:4433 compressed = true

• Question 42:

  How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON A)

  

  B)

  

  C)

  

  D)

  

  A. option A

  B. Option B

  C. Option C

  D. Option D

  Correct Answer: C

  https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups

• Question 43:

  User role inheritance allows what to be inherited from the parent role? (select all that apply)

  A. Parents

  B. Capabilities

  C. Index access

  D. Search history

  Correct Answer: BC

  https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_i nheritance https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

• Question 44:

  Which of the following are supported options when configuring optional network inputs?

  A. Metadata override, sender filtering options, network input queues (quantum queues)

  B. Metadata override, sender filtering options, network input queues (memory/persistent queues)

  C. Filename override, sender filtering options, network output queues (memory/persistent queues)

  D. Metadata override, receiver filtering options, network input queues (memory/persistent queues)

  Correct Answer: B

  https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

• Question 45:

  What is the default character encoding used by Splunk during the input phase?

  A. UTF-8

  B. UTF-16

  C. EBCDIC

  D. ISO 8859

  Correct Answer: A

  https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configurecharactersetencoding

  "Configure character set encoding. Splunk software attempts to apply UTF-8 encoding to your scources by default. If a source foesn't use UTF-8 encoding or is a non-ASCII file, Splunk software tries to convert data from the source to UTF-8 encoding unless you specify a character set to use by setting the CHARSET key in the props.conf file."

• Question 46:

  What options are available when creating custom roles? (select all that apply)

  A. Restrict search terms

  B. Whitelist search terms

  C. Limit the number of concurrent search jobs

  D. Allow or restrict indexes that can be searched.

  Correct Answer: ACD

  https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/Admin/ConcurrentLimits "Set limits for concurrent scheduled searches. You must have the edit_search_concurrency_all and edit_search_concurrency_scheduled capabilities to configure these settings."

• Question 47:

  How does the Monitoring Console monitor forwarders?

  A. By pulling internal logs from forwarders.

  B. By using the forwarder monitoring add-on

  C. With internal logs forwarded by forwarders.

  D. With internal logs forwarded by deployment server.

  Correct Answer: C

  Quoting the following Splunk URL reference https://docs.splunk.com/Documentation/Splunk/8.2.2/DMC/DMCprerequisites "Monitoring Console setup prerequisites. Forward internal logs (both $SPLUNK_HOME/car/log/splunk and $SPLUNK_HOME/var/log/introspection) to indexers from all other components. Without this step, many dashboards will lack data."

• Question 48:

  Where can scripts for scripted inputs reside on the host file system? (select all that apply)

  A. $SFLUNK_HOME/bin/scripts

  B. $SPLUNK_HOME/etc/apps/bin

  C. $SPLUNK_HOME/etc/system/bin

  D. $S?LUNK_HOME/etc/apps//bin_

  Correct Answer: ACD

  "Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system: $SPLUNK_HOME/etc/system/bin $SPLUNK_HOME/etc/apps//bin $SPLUNK_HOME/bin/scripts As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system."

• Question 49:

  Within props. conf, which stanzas are valid for data modification? (select all that apply)

  A. Host

  B. Server

  C. Source

  D. Sourcetype

  Correct Answer: ACD

  "* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts." https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf

• Question 50:

  What is the correct order of steps in Duo Multifactor Authentication?

  A. 1 Request Login

  2. Connect to SAML server

  3 Duo MFA

  4 Create User session

  5 Authentication Granted 6. Log into Splunk

  B. 1. Request Login 2 Duo MFA

  3. Authentication Granted 4 Connect to SAML server

  5.

  Log into Splunk

  6.

  Create User session

  C. 1 Request Login 2 Check authentication / group mapping 3 Authentication Granted

  4.

  Duo MFA

  5.

  Create User session

  6.

  Log into Splunk

  D. 1 Request Login 2 Duo MFA

  3. Check authentication / group mapping

  4 Create User session

  5. Authentication Granted

  6 Log into Splunk

  Correct Answer: C

  Using the provided DUO/Splunk reference URL https://duo.com/docs/splunk

  Scroll down to the Network Diagram section and note the following 6 similar steps: 1 - SPlunk connection initiated 2 - Primary authentication 3 - Splunk connection established to Duo Security over TCP port 443 4 - Secondary authentication via Duo Security's service 5 - Splunk receives authentication response 6 - Splunk session logged in.