The Improved Guide To SPLK-1003 Answers

NEW QUESTION 1
Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

• A. Universal forwarder
• B. Parsing forwarder
• C. Heavy forwarder
• D. Advanced forwarder

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/Forwarding/Typesofforwarders

NEW QUESTION 2
Which Splunk component does a search head primarily communicate with?

• A. Indexer
• B. Forwarder
• C. Cluster master
• D. Deployment server

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/InheritedDeployment/Deploymenttopology

NEW QUESTION 3
How does the Monitoring Console monitor forwarders?

• A. By pulling internal logs from forwarders.
• B. By using the forwarder monitoring add-on.
• C. With internal logs forwarded by forwarders.
• D. With internal logs forwarder by deployment server.

Answer: A

NEW QUESTION 4
Which optional configuration setting in inputs.conf allows you to selectively forward the data to specific indexer(s)?

• A. _TCP_ROUTING
• B. _INDEXER_LIST
• C. _INDEXER_GROUP
• D. _INDEXER_ROUTING

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Monitorfilesanddirectorieswithinputs.conf

NEW QUESTION 5
Which of the following are methods for adding inputs in Splunk? (Select all that apply.)

• A. CLI
• B. Splunk Web
• C. Editing inpits.conf
• D. Editing monitor.conf

Answer: AB

Explanation:
Reference: http://dev.splunk.com/view/dev -guide/SP-CAAAE3A

NEW QUESTION 6
In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

• A. To ensure that hot buckets are still open for writers and have not been forced to roll to a cold state.
• B. To ensure that configuration files have not been tampered with for auditing and/or legal purposes.
• C. To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
• D. To ensure that data has not been tampered with for auditing and/or legal purposes.

Answer: D

Explanation:
Reference: https://www.splunk.com/blog/2015/10/28/data-integrity-is-back-baby.html

NEW QUESTION 7
Where can scripts for scripted inputs reside on the host file system? (Select all that apply.)

• A. $SPLUNK_HOME/bin/scripts
• B. $SPLUNK_HOME/etc/apps/bin
• C. $SPLUNK_HOME/etc/system/bin
• D. $SPLUNK_HOME/etc/apps/<your_app>/bin

Answer: ACD

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Getdatafromscriptedinputs#Where_to_place_the_scripts_for_scripted_inputs

NEW QUESTION 8
Which forwarder type can parse data prior to forwarding?

• A. Universal forwarder
• B. Heaviest forwarder
• C. Hyper forwarder
• D. Heavy forwarder

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Typesofforwarders

NEW QUESTION 9
When running the command shown below, what is the default path in which deploymentserver.conf is created?
splunk set deploy-poll deployServer:port

• A. SPLUNK_HOME/etc/deployment
• B. SPLUNK_HOME/etc/system/local
• C. SPLUNK_HOME/etc/system/default
• D. SPLUNK_HOME/etc/apps/deployment

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Updating/Configuredeploymentclients

NEW QUESTION 10
What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events?

• A. REGEX, DEST, FORMAT
• B. REGEX, SRC_KEY, FORMAT
• C. REGEX, DEST_KEY, FORMAT
• D. REGEX, DEST_KEY, FORMATTING

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Transformsconf

NEW QUESTION 11
Which of the following statements describe deployment management? (Select all that apply.)

• A. Requires an Enterprise license.
• B. Is responsible for sending apps to forwarders.
• C. Once used, is the only way to manage forwarders.
• D. Can automatically restart the host OS running the forwarder.

Answer: A

NEW QUESTION 12
In this sourcetype definition the MAX_TIMESTAMP_LOOKAHEAD is missing. Which value would fit best?
[sshd_syslog] TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z
LINE_BREAKER = ([rn]+)d{4}-d{2}-d{2} d{2}:d{2}:d{2} SHOUD_LINEMERGE = false
TRUNCATE = 0
Event example: 2021-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366

• A. MAX_TIMESTAMP_LOOKAHEAD = 5
• B. MAX_TIMESTAMP_LOOKAHEAD = 10
• C. MAX_TIMESTAMP_LOOKAHEAD = 20
• D. MAX_TIMESTAMP_LOOKAHEAD = 30

Answer: B

NEW QUESTION 13
This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf [monitor:///var/log/messages]
sourcetype=syslog
index=syslog
A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file:
/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
[monitor:///var/log/maillog] sourcetype=maillog index=syslog
Which file is now monitored?

• A. /var/log/messages
• B. /var/log/maillog
• C. /var/log/maillog and /var/log/messages
• D. none of the above

Answer: C

NEW QUESTION 14
Which of the following are required when defining an index in indexes.conf? (Select all that apply.)

• A. coldPath
• B. homePath
• C. frozenPath
• D. thawedPath

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

NEW QUESTION 15
When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

• A. App Class
• B. Client Class
• C. Server Class
• D. Forwarder Class

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Updating/Createdeploymentapps

NEW QUESTION 16
Which parent directory contains the configuration files in Splunk?

• A. $SPLUNK_HOME/etc
• B. $SPLUNK_HOME/var
• C. $SPLUNK_HOME/conf
• D. $SPLUNK_HOME/default

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

NEW QUESTION 17
What is the difference between the two wildcards ... and * for the monitor stanza in inputs.conf?

• A. ... is not supported in monitor stanzas.
• B. There is no difference, they are interchangeable and match anything beyond directory boundaries.
• C. * matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.
• D. ... matches anything in that specific directory path segment, whereas * recurses through subdirectories as well.

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

NEW QUESTION 18
Which Splunk component consolidates the individual results and prepares reports in a distributed environment?

• A. Indexers
• B. Forwarder
• C. Search head
• D. Search peers

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Advancedindexingstrategy

NEW QUESTION 19
How do you remove missing forwarders from the Monitoring Console?

• A. By restarting Splunk.
• B. By rescanning active forwarders.
• C. By reloading the deployment server.
• D. By rebuilding the forwarder asset table.

Answer: D

Explanation:
Reference: https://answers.splunk.com/answers/447096/how-to-remove-missing-forwarders-from-the-distribu.html

NEW QUESTION 20
Which of the following are supported configuration methods to add inputs on a forwarder? (Select all that apply.)

• A. CLI
• B. Edit inputs.conf
• C. Edit forwarder.conf
• D. Forwarder Management

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/Configuretheuniversalforwarder

NEW QUESTION 21
......