Summer Sale - Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 65percent

Welcome To DumpsPedia

SPLK-1003 Sample Questions Answers

Questions 4

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

Options:

A.

bucketdb

B.

frozendb

C.

colddb

D.

db

Buy Now
Questions 5

A Splunk administrator has been tasked with developing a retention strategy to have frequently accessed data sets on SSD storage and to have older, less frequently accessed data on slower NAS storage. They have set a mount point for the NAS. Which parameter do they need to modify to set the path for the older, less frequently accessed data in indexes.conf?

Options:

A.

homepath

B.

thawedPath

C.

summaryHomePath

D.

colddeath

Buy Now
Questions 6

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

Options:

A.

The blacklist takes precedence over the whitelist.

B.

The whitelist takes precedence over the blacklist.

C.

Wildcards are not supported in any client filters.

D.

Machine type filters are applied before the whitelist and blacklist.

Buy Now
Questions 7

Which of the following statements describes how distributed search works?

Options:

A.

Forwarders pull data from the search peers.

B.

Search heads store a portion of the searchable data.

C.

The search head dispatches searches to the search peers.

D.

Search results are replicated within the indexer cluster.

Buy Now
Questions 8

User role inheritance allows what to be inherited from the parent role? (select all that apply)

Options:

A.

Parents

B.

Capabilities

C.

Index access

D.

Search history

Questions 9

Which parent directory contains the configuration files in Splunk?

Options:

A.

SSFLUNK_HOME/etc

B.

SSPLUNK_HOME/var

C.

SSPLUNK_HOME/conf

D.

SSPLUNK_HOME/default

Buy Now
Questions 10

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

Options:

A.

channelTTL

B.

connectionTimeout

C.

autoLBFrequency

D.

secsInFailurelnterval

Buy Now
Questions 11

Consider the following stanza ininputs.conf:

What will the value of the source filed be for events generated by this scripts input?

Options:

A.

/opt/splunk/ecc/apps/search/bin/liscer.sh

B.

unknown

C.

liscer

D.

liscer.sh

Buy Now
Questions 12

Which of the following are methods for adding inputs in Splunk? (select all that apply)

Options:

A.

CLI

B.

Splunk Web

C.

Editing inputs. conf

D.

Editing monitor. conf

Buy Now
Questions 13

To set up a Network input in Splunk, what needs to be specified ' ?

Options:

A.

File path.

B.

Username and password

C.

Network protocol and port number.

D.

Network protocol and MAC address.

Questions 14

What is the default purpose of a Splunk Deployment Server?

Options:

A.

To stage and deploy updates from $SPLUNK_HOME/etc/deployment-apps/

B.

To stage and deploy updates from $SPLUNK_HOME/etc/manager-apps/

C.

To stage and deploy updates from $SPLUNK_HOME/etc/apps/

D.

To stage and deploy updates from $SPLUNK_HOME/etc/peer-apps/

Buy Now
Questions 15

Search heads in a company ' s European offices need to be able to search data in their New York offices. They also need to restrict access to certain indexers. What should be configured to allow this type of action?

Options:

A.

Indexer clustering

B.

LDAP control

C.

Distributed search

D.

Search head clustering

Buy Now
Questions 16

Which of the following is true when authenticating users to Splunk using LDAP?

Options:

A.

LDAP group names must match the Splunk role name defined in authorize.conf.

B.

Splunk will search each LDAP strategy in the order in which they are listed in authentication.conf.

C.

Splunk only supports encrypted LDAP connections.

D.

LDAP will take precedence over local users with the same username as defined in etc/passwd.

Buy Now
Questions 17

A user recently installed an application to index NCINX access logs. After configuring the application, they realize that no data is being ingested. Which configuration file do they need to edit to ingest the access logs to ensure it remains unaffected after upgrade?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Buy Now
Questions 18

Which feature of Splunk’s role configuration can be used to aggregate multiple roles intended for groups of

users?

Options:

A.

Linked roles

B.

Grantable roles

C.

Role federation

D.

Role inheritance

Buy Now
Questions 19

How can native authentication be disabled in Splunk?

Options:

A.

Remove the $SPLUNK_HOME/etc/passwd file

B.

Create an empty $SPLUNK_HOME/etc/passwd file

C.

Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf

D.

Set nativeAuthentication=false in authentication.conf

Buy Now
Questions 20

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

Options:

A.

Use Local Windows host monitoring.

B.

Use Windows Remote Inputs with WMI.

C.

Use Local Windows network monitoring.

D.

Use an index with an Index Data Type of Metrics.

Buy Now
Questions 21

Which valid bucket types are searchable? (select all that apply)

Options:

A.

Hot buckets

B.

Cold buckets

C.

Warm buckets

D.

Frozen buckets

Buy Now
Questions 22

When indexing a data source, which fields are considered metadata?

Options:

A.

source, host, time

B.

time, sourcetype, source

C.

host, raw, sourcetype

D.

sourcetype, source, host

Buy Now
Questions 23

Syslog files are being monitored on a Heavy Forwarder.

Where would the appropriate TRANSFORMS setting be deployed to reroute logs based on the event message?

Options:

A.

Heavy Forwarder

B.

Indexer

C.

Search head

D.

Deployment server

Buy Now
Questions 24

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

Options:

A.

Indexers, search head, universal forwarders, license master

B.

Indexers, search head, deployment server, universal forwarders

C.

Indexers, search head, deployment server, license master, universal forwarder

D.

Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Buy Now
Questions 25

What is a role in Splunk? (select all that apply)

Options:

A.

A classification that determines what capabilities a user has.

B.

A classification that determines if a Splunk server can remotely control another Splunk server.

C.

A classification that determines what functions a Splunk server controls.

D.

A classification that determines what indexes a user can search.

Buy Now
Questions 26

Which artifact is required in the request header when creating an HTTP event?

Options:

A.

ackID

B.

Token

C.

Manifest

D.

Host name

Buy Now
Questions 27

Given a forwarder with the following outputs.conf configuration:

[tcpout : mypartner]

Server = 145.188.183.184:9097

[tcpout : hfbank]

server = inputsl . mysplunkhfs . corp : 9997 , inputs2 . mysplunkhfs . corp : 9997

Which of the following is a true statement?

Options:

A.

Data will continue to flow to hfbank if 145.1 ga. 183.184 : 9097 is unreachable.

B.

Data is not encrypted to mypartner because 145.188 .183.184 : 9097 is specified by IP.

C.

Data is encrypted to mypartner because 145.183.184 : 9097 is specified by IP.

D.

Data will eventually stop flowing everywhere if 145.188.183.184 : 9097 is unreachable.

Buy Now
Questions 28

How is a remote monitor input distributed to forwarders?

Options:

A.

As an app.

B.

As a forward.conf file.

C.

As a monitor.conf file.

D.

As a forwarder monitor profile.

Buy Now
Questions 29

How is data handled by Splunk during the input phase of the data ingestion process?

Options:

A.

Data is treated as streams.

B.

Data is broken up into events.

C.

Data is initially written to disk.

D.

Data is measured by the license meter.

Buy Now
Questions 30

What action could be taken to prevent a license warning with an ingest-based license?

Options:

A.

Add a new license before midnight on the indexer(s).

B.

Delete the data before midnight on the indexer(s).

C.

Add a new license before midnight on the license manager.

D.

Delete the data before midnight on the license manager.

Buy Now
Questions 31

What event-processing pipelines are used to process data for indexing? (select all that apply)

Options:

A.

fifo pipeline

B.

Indexing pipeline

C.

Parsing pipeline

D.

Typing pipeline

Buy Now
Questions 32

When using a directory monitor input, specific source types can be selectively overridden using which configuration file?

Options:

A.

sourcetypes . conf

B.

trans forms . conf

C.

outputs . conf

D.

props . conf

Buy Now
Questions 33

What options are available when creating custom roles? (select all that apply)

Options:

A.

Restrict search terms

B.

Whitelist search terms

C.

Limit the number of concurrent search jobs

D.

Allow or restrict indexes that can be searched.

Buy Now
Questions 34

Which of the following types of data count against the license daily quota?

Options:

A.

Replicated data

B.

splunkd logs

C.

Summary index data

D.

Windows internal logs

Buy Now
Questions 35

Which of the following are supported options when configuring optional network inputs?

Options:

A.

Metadata override, sender filtering options, network input queues (quantum queues)

B.

Metadata override, sender filtering options, network input queues (memory/persistent queues)

C.

Filename override, sender filtering options, network output queues (memory/persistent queues)

D.

Metadata override, receiver filtering options, network input queues (memory/persistent queues)

Questions 36

The CLI command splunk add forward-server indexer: < receiving-port > will create stanza(s) in

which configuration file?

Options:

A.

inputs.conf

B.

indexes.conf

C.

outputs.conf

D.

servers.conf

Buy Now
Questions 37

What are the minimum required settings when creating a network input in Splunk?

Options:

A.

Protocol, port number

B.

Protocol, port, location

C.

Protocol, username, port

D.

Protocol, IP. port number

Buy Now
Questions 38

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations

found in props.conf to be validated all through the UI?

Options:

A.

Apps

B.

Search

C.

Data preview

D.

Forwarder inputs

Buy Now
Questions 39

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

Options:

A.

Nothing changes.

B.

The peer-apps local directory becomes the highest priority.

C.

The app local directories move to second in the priority list.

D.

The system default directory ' becomes the highest priority.

Buy Now
Questions 40

Local user accounts created in Splunk store passwords in which file?

Options:

A.

$ SFLUNK_HOME/etc/passwd

B.

$ SFLUNK_HOME/etc/authentication

C.

$ S?LUNK_HOME/etc/users/passwd.conf

D.

$ SPLUNK HOME/etc/users/authentication.conf

Buy Now
Questions 41

Which pathway represents where a network input in Splunk might be found?

Options:

A.

$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B.

$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C.

$SPLUNK HOME/ system/ local /udp.conf

D.

$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Buy Now
Questions 42

Which Splunk component does a search head primarily communicate with?

Options:

A.

Indexer

B.

Forwarder

C.

Cluster master

D.

Deployment server

Buy Now
Questions 43

When should the Data Preview feature be used?

Options:

A.

When extracting fields for ingested data.

B.

When previewing the data before searching.

C.

When reviewing data on the source host.

D.

When validating the parsing of data.

Buy Now
Questions 44

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

Options:

A.

/var/log/messages

B.

/var/log/maillog

C.

/var/log/maillog and /var/log/messages

D.

none of the above

Buy Now
Questions 45

What happens when the same username exists in Splunk as well as through LDAP?

Options:

A.

Splunk user is automatically deleted from authentication.conf.

B.

LDAP settings take precedence.

C.

Splunk settings take precedence.

D.

LDAP user is automatically deleted from authentication.conf

Buy Now
Questions 46

In which phase do indexed extractions in props.conf occur?

Options:

A.

Inputs phase

B.

Parsing phase

C.

Indexing phase

D.

Searching phase

Buy Now
Questions 47

A security team needs to ingest a static file for a specific incident. The log file has not been collected previously and future updates to the file must not be indexed.

Which command would meet these needs?

Options:

A.

splunk add one shot / opt/ incident [data .log —index incident

B.

splunk edit monitor /opt/incident/data.* —index incident

C.

splunk add monitor /opt/incident/data.log —index incident

D.

splunk edit oneshot [opt/ incident/data.* —index incident

Buy Now
Questions 48

In which Splunk configuration is the SEDCMD used?

Options:

A.

props, conf

B.

inputs.conf

C.

indexes.conf

D.

transforms.conf

Buy Now
Questions 49

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

Options:

A.

On Universal Forwarder, $SPLUNK_HOME/etc/apps

B.

On Deployment Server, $SPLUNK_HOME/etc/apps

C.

On Deployment Server, $SPLUNK_HOME/etc/deployment-apps

D.

On Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Buy Now
Questions 50

When does a warm bucket roll over to a cold bucket?

Options:

A.

When Splunk is restarted.

B.

When the maximum warm bucket age has been reached.

C.

When the maximum warm bucket size has been reached.

D.

When the maximum number of warm buckets is reached.

Buy Now
Questions 51

What is the correct order of steps in Duo Multifactor Authentication?

Options:

A.

1 Request Login2. Connect to SAML server3 Duo MFA4 Create User session5 Authentication Granted 6. Log into Splunk

B.

1. Request Login 2 Duo MFA3. Authentication Granted 4 Connect to SAML server5. Log into Splunk6. Create User session

C.

1 Request Login2 Check authentication / group mapping3 Authentication Granted4. Duo MFA5. Create User session6. Log into Splunk

D.

1 Request Login 2 Duo MFA3. Check authentication / group mapping4 Create User session5. Authentication Granted6 Log into Splunk

Buy Now
Questions 52

A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly to the indexer. Both sets of data require the masking of raw text strings before being written to disk. What does the administrator need to do to

ensure that the masking takes place successfully?

Options:

A.

Make sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

B.

For source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

C.

Make sure that props . conf and transforms . conf are both present on the Universal Forwarder.

D.

Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Buy Now
Questions 53

How does the Monitoring Console monitor forwarders?

Options:

A.

By pulling internal logs from forwarders.

B.

By using the forwarder monitoring add-on

C.

With internal logs forwarded by forwarders.

D.

With internal logs forwarded by deployment server.

Buy Now
Questions 54

The universal forwarder has which capabilities when sending data? (select all that apply)

Options:

A.

Sending alerts

B.

Compressing data

C.

Obfuscating/hiding data

D.

Indexer acknowledgement

Questions 55

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

Options:

A.

Upload option

B.

Forward option

C.

Monitor option

D.

Download option

Buy Now
Questions 56

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

Options:

A.

If Splunk is restarted, data will be queued and then sent when Splunk has restarted.

B.

Local firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

C.

The host value associated with data received will be the IP address that sent the data.

D.

If Splunk is restarted, data may be lost.

Buy Now
Questions 57

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

Options:

A.

Deployer

B.

Cluster master

C.

Deployment server

D.

Search head cluster master

Buy Now
Questions 58

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

Options:

A.

Indexer

B.

Deployer

C.

Forwarder

D.

Deployment server

Buy Now
Questions 59

Which of the following is a valid method to create a Splunk user?

Options:

A.

Create a support ticket.

B.

Create a user on the host operating system.

C.

Splunk REST API.

D.

Add the username to users. conf.

Buy Now
Questions 60

Seven different network switches are sending traffic to a server hosting a Universal Forwarder . Three of the devices are sending TCP data and four of the devices are sending UDP data.

What is the minimum number of input stanzas that must be created on the Universal Forwarder to successfully capture data from all seven sources?

Options:

A.

One

B.

Seven

C.

Four

D.

Two

Buy Now
Questions 61

A Splunk app named cisco_collector contains a Python modular input. Where in Splunk’s directory structure will the modular input script be located?

Options:

A.

$SPLUNK_HOME/etc/apps/cisco_collector/bin/cisco_collector.py

B.

$SPLUNK_HOME/etc/deployment-apps/cisco_collector/cisco_collector.py

C.

$SPLUNK_HOME/etc/apps/cisco_collector.py

D.

$SPLUNK_HOME/etc/apps/mod_input/cisco_collector.py

Buy Now
Questions 62

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Options:

A.

props.conf

B.

inputs.conf

C.

rawdata.conf

D.

transforms.conf

Buy Now
Questions 63

What is the default character encoding used by Splunk during the input phase?

Options:

A.

UTF-8

B.

UTF-16

C.

EBCDIC

D.

ISO 8859

Buy Now
Exam Code: SPLK-1003
Exam Name: Splunk Enterprise Certified Admin
Last Update: Jul 16, 2026
Questions: 211

PDF + Testing Engine

$59.99 $171.4

Testing Engine

$44.99 $128.55

PDF (Q&A)

$49.99 $142.82