Splunk Enterprise Certified Admin (SPLK-1003) Free Practice Test

Question 1

Load balancing on a Universal Forwarder is not scaling correctly. The forwarder's outputs. and the tcpout stanza are setup correctly. What else could be the cause of this scaling issue? (select all that apply)

A. The receiving port is not properly setup to listen on the right port.

B. The inputs . conf'S _SYSZOG_ROVTING is not setup to use the right group names.

C. The indexAndForward value is not set properly.

D. The DNS record used is not setup with a valid list of IP addresses.

Correct Answer: A,D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 2

An index stores its data in buckets. Which default directories does Splunk use to store buckets?
(Choose all that apply.)

A. colddb

B. bucketdb

C. db

D. frozendb

Correct Answer: A,C

Question 3

What is a role in Splunk? (select all that apply)

A. A classification that determines what indexes a user can search.

B. A classification that determines if a Splunk server can remotely control another Splunk server.

C. A classification that determines what capabilities a user has.

D. A classification that determines what functions a Splunk server controls.

Correct Answer: A,C

Question 4

During search time, which directory of configuration files has the highest precedence?

A. $SFLUNK_KOME/etc/system/local

B. $SPLUNK_HCME/etc/apps/app1/local

C. $SPLUNK HCME/etc/users/admin/local

D. $SPLUNK_KCME/etc/system/default

Correct Answer: C

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 5

An admin is configuring a Universal Forwarder and runs the following command:
splunk add forward-server 10.1.2.3:9997
Following this action, to what index are the Splunk logs sent?

A. _internal

B. _inputs

C. _main

D. _logs

Correct Answer: A

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 6

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A. 14 days

B. 90 days

C. 7 days

D. 60 days

Correct Answer: D

Question 7

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

A. <regex string>

B. False

C. True

D. Newline Character

Correct Answer: B

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 8

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output:
Event:
[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

A. SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g

B. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

C. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g

D. SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g

Correct Answer: B

Question 9

Windows can prevent a Splunk forwarder from reading open files. If files need to be read while they are being written to, what type of input stanza needs to be created?

A. Monitor

B. Upload

C. Tail Reader

D. MonitorNoHandIe

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Question 10

Which of the following is an acceptable channelvalue when using the HTTP Event Collector indexer acknowledgement capability?

A. Hash Checksum

B. DNS

C. IP Address

D. GUID

Correct Answer: D

Explanation: Only visible for TestSimulate members. You can sign-up / login (it's free).

Welcome to TestSimulate

Splunk Enterprise Certified Admin (SPLK-1003) Free Practice Test