Certbus > Splunk > Splunk Certifications > SPLK-1003 > SPLK-1003 Online Practice Questions and Answers

SPLK-1003 Online Practice Questions and Answers

Questions 4

Which Splunk component would one use to perform line breaking prior to indexing?

A. Heavy Forwarder

B. Universal Forwarder

C. Search head

D. This can only be done at the indexing layer.

Browse 182 Q&As
Questions 5

In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?

A. services/ collector

B. services/ inputs ? raw

C. services/ data/ collector

D. data/ collector

Browse 182 Q&As
Questions 6

In inputs. conf, which stanza would mean Splunk was only reading one local file?

A. [read://opt/log/crashlog/Jan27crash.txt]

B. [monitor::/ opt/log/crashlog/Jan27crash.txt]

C. [monitor:/// opt/log/]

D. [monitor:/// opt/log/ crashlog/Jan27crash.txt]

Browse 182 Q&As
Questions 7

How do you remove missing forwarders from the Monitoring Console?

A. By restarting Splunk.

B. By rescanning active forwarders.

C. By reloading the deployment server.

D. By rebuilding the forwarder asset table.

Browse 182 Q&As
Questions 8

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations found in props.conf to be validated all through the UI?

A. Apps

B. Search

C. Data preview

D. Forwarder inputs

Browse 182 Q&As
Questions 9

Which setting in indexes. conf allows data retention to be controlled by time?

A. maxDaysToKeep

B. moveToFrozenAfter

C. maxDataRetentionTime

D. frozenTimePeriodlnSecs

Browse 182 Q&As
Questions 10

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint information for that file?

A. _audit

B. _checkpoint

C. _introspection

D. _thefishbucket

Browse 182 Q&As
Questions 11

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

A. Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

B. Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

C. Allows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

D. Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Browse 182 Q&As
Questions 12

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

A. LDAP

B. SAML

C. RADIUS

D. Duo Multifactor Authentication

Browse 182 Q&As
Questions 13

Which of the following statements apply to directory inputs? {select all that apply)

A. All discovered text files are consumed.

B. Compressed files are ignored by default

C. Splunk recursively traverses through the directory structure.

D. When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Browse 182 Q&As
Questions 14

Which of the methods listed below supports muti-factor authentication?

A. Lightweight Directory Access Protocol (LDAP)

B. Security Assertion Markup Language (SAML)

C. Single Sign-on (SSO)

D. OpenlD

Browse 182 Q&As
Questions 15

What is the correct order of steps in Duo Multifactor Authentication?

A. 1 Request Login

2. Connect to SAML server

3 Duo MFA

4 Create User session

5 Authentication Granted 6. Log into Splunk

B. 1. Request Login 2 Duo MFA

3. Authentication Granted 4 Connect to SAML server

5.

Log into Splunk

6.

Create User session

C. 1 Request Login 2 Check authentication / group mapping 3 Authentication Granted

4.

Duo MFA

5.

Create User session

6.

Log into Splunk

D. 1 Request Login 2 Duo MFA

3. Check authentication / group mapping

4 Create User session

5. Authentication Granted

6 Log into Splunk

Browse 182 Q&As
Questions 16

TheLINE_BREAKERattribute is configured in which configuration file?

A. props.conf

B. indexes.conf

C. inpucs.conf

D. transforms.conf

Browse 182 Q&As
Questions 17

Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678.

Which configuration file and stanza pair will mask possible SSNs in the log events?

A. props.conf [mask-SSN] REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1###-##-$2 KEY = _raw

B. props.conf [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1###-##-$2 DEST_KEY = _raw

C. transforms.conf [mask-SSN] REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1###-##-$2 DEST_KEY = _raw

D. transforms.conf [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1###-##-$2 DEST_KEY = _raw

Browse 182 Q&As
Questions 18

How would you configure your distsearch conf to allow you to run the search below?

sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON A. Option A

B. Option B

C. Option C

D. Option D

Browse 182 Q&As
Exam Code: SPLK-1003
Exam Name: Splunk Enterprise Certified Admin
Last Update: Mar 16, 2025
Questions: 182 Q&As

PDF

$49.99

VCE

$55.99

PDF + VCE

$65.99