SPLK-1003 Online Practice Questions and Answers

Which Splunk component would one use to perform line breaking prior to indexing?

A. Heavy Forwarder

B. Universal Forwarder

C. Search head

D. This can only be done at the indexing layer.

In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?

A. services/ collector

B. services/ inputs ? raw

C. services/ data/ collector

D. data/ collector

In inputs. conf, which stanza would mean Splunk was only reading one local file?

A. [read://opt/log/crashlog/Jan27crash.txt]

B. [monitor::/ opt/log/crashlog/Jan27crash.txt]

C. [monitor:/// opt/log/]

D. [monitor:/// opt/log/ crashlog/Jan27crash.txt]

How do you remove missing forwarders from the Monitoring Console?

A. By restarting Splunk.

B. By rescanning active forwarders.

C. By reloading the deployment server.

D. By rebuilding the forwarder asset table.

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations found in props.conf to be validated all through the UI?

A. Apps

B. Search

C. Data preview

D. Forwarder inputs

Which setting in indexes. conf allows data retention to be controlled by time?

A. maxDaysToKeep

B. moveToFrozenAfter

C. maxDataRetentionTime

D. frozenTimePeriodlnSecs

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint information for that file?

A. _audit

B. _checkpoint

C. _introspection

D. _thefishbucket

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

A. Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

B. Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

C. Allows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

D. Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

A. LDAP

B. SAML

C. RADIUS

D. Duo Multifactor Authentication

Which of the following statements apply to directory inputs? {select all that apply)

A. All discovered text files are consumed.

B. Compressed files are ignored by default

C. Splunk recursively traverses through the directory structure.

D. When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Which of the methods listed below supports muti-factor authentication?

A. Lightweight Directory Access Protocol (LDAP)

B. Security Assertion Markup Language (SAML)

C. Single Sign-on (SSO)

D. OpenlD

What is the correct order of steps in Duo Multifactor Authentication?

A. 1 Request Login

2. Connect to SAML server

3 Duo MFA

4 Create User session

5 Authentication Granted 6. Log into Splunk

B. 1. Request Login 2 Duo MFA

3. Authentication Granted 4 Connect to SAML server

5.

Log into Splunk

6.

Create User session

C. 1 Request Login 2 Check authentication / group mapping 3 Authentication Granted

4.

Duo MFA

5.

Create User session

6.

Log into Splunk

D. 1 Request Login 2 Duo MFA

3. Check authentication / group mapping

4 Create User session

5. Authentication Granted

6 Log into Splunk

TheLINE_BREAKERattribute is configured in which configuration file?

A. props.conf

B. indexes.conf

C. inpucs.conf

D. transforms.conf

Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678.

Which configuration file and stanza pair will mask possible SSNs in the log events?

A. props.conf [mask-SSN] REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1###-##-$2 KEY = _raw

B. props.conf [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1###-##-$2 DEST_KEY = _raw

C. transforms.conf [mask-SSN] REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1###-##-$2 DEST_KEY = _raw

D. transforms.conf [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1###-##-$2 DEST_KEY = _raw

How would you configure your distsearch conf to allow you to run the search below?

sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON A. Option A

B. Option B

C. Option C

D. Option D