Question #1 Topic 1 C. indexes.

conf

Which setting in indexes.conf allows data D. transforms.conf

retention to be controlled by time?

A. maxDaysToKeep
Question #5 Topic 1
B. moveToFrozenAfter
Which of the following are supported
C. maxDataRetentionTime configuration methods to add inputs on a
forwarder? (Choose all that apply.)
D. frozenTimePeriodInSecs
A. CLI

B. Edit inputs.conf
Question #2 Topic 1
C. Edit forwarder.conf
The universal forwarder has which capabilities
when sending data? (Choose all that apply.) D. Forwarder Management

A. Sending alerts

B. Compressing data Question #6 Topic 1

C. Obfuscating/hiding data Which parent directory contains the

configuration files in Splunk?
D. Indexer acknowledgement
A. $SPLUNK_HOME/etc

B. $SPLUNK_HOME/var
Question #3 Topic 1
C. $SPLUNK_HOME/conf
In case of a conflict between a whitelist and a
blacklist input setting, which one is used? D. $SPLUNK_HOME/default

A. Blacklist

B. Whitelist Question #7 Topic 1

C. They cancel each other out. Which forwarder type can parse data prior to
forwarding?
D. Whichever is entered into the configuration
first. A. Universal forwarder

B. Heaviest forwarder

Question #4 Topic 1 C. Hyper forwarder

In which Splunk configuration is the SEDCMD D. Heavy forwarder

used?
Correct Answer: D
A. props.conf

B. inputs.conf
Question #8 Topic 1 [monitor:///var/log/messages]

Which Splunk component consolidates the sourcetype=syslog

individual results and prepares reports in a
index=syslog
distributed environment?
A new Splunk admin comes in and connects the
A. Indexers
universal forwarders to a deployment server
B. Forwarder and deploys the same app with a new
inputs.conf
C. Search head
file:
D. Search peers
/opt/splunk/etc/deployment-apps/my_TA/
local/inputs.conf
Question #9 Topic 1
[monitor:///var/log/maillog]
Which Splunk component distributes apps and
sourcetype=maillog
certain other configuration updates to search
head cluster members? index=syslog

A. Deployer Which file is now monitored?

B. Cluster master A. /var/log/messages

C. Deployment server B. /var/log/maillog

D. Search head cluster master C. /var/log/maillog and /var/log/messages

D. none of the above

Question #10 Topic 1

Where should apps be located on the Question #12 Topic 1

deployment server that the clients pull from?
In which phase of the index time process does
A. $SPLUNK_HOME/etc/apps the license metering occur?

B. $SPLUNK_HOME/etc/search A. Input phase

C. $SPLUNK_HOME/etc/master-apps B. Parsing phase

D. $SPLUNK_HOME/etc/deployment-apps C. Indexing phase

D. Licensing phase

Question #11 Topic 1

This file has been manually created on a Question #13 Topic 1

universal forwarder:
You update a props.conf file while Splunk is
/opt/splunkforwarder/etc/apps/my_TA/local/ running. You do not restart Splunk and you run
inputs.conf this command: splunk btool props list `"-debug.
What
will the output be? Question #16 Topic 1

A. A list of all the configurations on-disk that When configuring monitor inputs with
Splunk contains. whitelists or blacklists, what is the supported
method of filtering the lists?
B. A verbose list of all configurations as they
were when splunkd started. A. Slash notation

C. A list of props.conf configurations as they are B. Regular expression

on-disk along with a file path from which the
C. Irregular expression
configuration is located.
D. Wildcard-only expression
D. A list of the current running props.conf
configurations along with a file path from which
the configuration was made.
Question #17 Topic 1

What is required when adding a native user to

Question #14 Topic 1 Splunk? (Choose all that apply.)
When running the command shown below, A. Password
what is the default path in which
deploymentserver.conf is created? splunk set B. Username
deploy-poll C. Full Name
deployServer:port D. Default app
A. SPLUNK_HOME/etc/deployment

B. SPLUNK_HOME/etc/system/local Question #18 Topic 1

C. SPLUNK_HOME/etc/system/default What are the minimum required settings when
D. SPLUNK_HOME/etc/apps/deployment creating a network input in Splunk?

A. Protocol, port number

uestion #15 Topic 1 B. Protocol, port, location

The priority of layered Splunk configuration files C. Protocol, username, port

depends on the file's: D. Protocol, IP, port number
A. Owner

B. Weight Question #19 Topic 1

C. Context Which Splunk component requires a Forwarder
D. Creation time license?

A. Search head

B. Heavy forwarder
C. Heaviest forwarder Question #23 Topic 1

D. Universal forwarder Which of the following statements describe

deployment management? (Choose all that
apply.)
Question #20 Topic 1
A. Requires an Enterprise license.
Which optional configuration setting in
B. Is responsible for sending apps to forwarders.
inputs.conf allows you to selectively forward
the data to specific indexer(s)? C. Once used, is the only way to manage
forwarders.
A. _TCP_ROUTING
D. Can automatically restart the host OS
B. _INDEXER_LIST
running the forwarder.
C. _INDEXER_GROUP

D. _INDEXER_ROUTING
Question #24 Topic 1

During search time, which directory of

Question #21 Topic 1 configuration files has the highest precedence?

To set up a network input in Splunk, what needs A. $SPLUNK_HOME/etc/system/local

to be specified?
B. $SPLUNK_HOME/etc/system/default
A. File path.
C. $SPLUNK_HOME/etc/apps/app1/local
B. Username and password.
D. $SPLUNK_HOME/etc/users/admin/local
C. Network protocol and port number.

D. Network protocol and MAC address.

Question #25 Topic 1

Within props.conf, which stanzas are valid for

Question #22 Topic 1 data modification? (Choose all that apply.)

Which Splunk forwarder type allows parsing of A. Host

data before forwarding to an indexer?
B. Server
A. Universal forwarder
C. Source
B. Parsing forwarder
D. Sourcetype
C. Heavy forwarder
Question #26 Topic 1
D. Advanced forwarder
What is the correct order of steps in Duo
Multifactor Authentication?

A. 1. Request Login 2. Connect to SAML server

3. Duo MFA 4. Create User session 5.
Authentication Granted 6. Log into Splunk
B. 1. Request Login 2. Duo MFA 3. B. Whitelist search terms.
Authentication Granted 4. Connect to SAML
C. Limit the number of concurrent search jobs.
server 5. Log into Splunk 6. Create User session
D. Allow or restrict indexes that can be
C. 1. Request Login 2. Check authentication /
searched.
group mapping 3. Authentication Granted 4.
Duo MFA 5. Create User session 6. Log into
Splunk
Question #30 Topic 1
D. 1. Request Login 2. Duo MFA 3. Check
authentication / group mapping 4. Create User Which of the following are supported options
session 5. Authentication Granted 6. Log into when configuring optional network inputs?
Splunk A. Metadata override, sender filtering options,
network input queues (quantum queues)

Question #27 Topic 1 B. Metadata override, sender filtering options,

network input queues (memory/persistent
Where can scripts for scripted inputs reside on queues)
the host file system? (Choose all that apply.)
C. Filename override, sender filtering options,
A. $SPLUNK_HOME/bin/scripts network output queues (memory/persistent
queues)
B. $SPLUNK_HOME/etc/apps/bin
D. Metadata override, receiver filtering options,
C. $SPLUNK_HOME/etc/system/bin
network input queues (memory/persistent
D. $SPLUNK_HOME/etc/apps/<your_app>/bin queues)

Question #28 Topic 1 Question #31 Topic 1

How does the Monitoring Console monitor What is the default character encoding used by
forwarders? Splunk during the input phase?

A. By pulling internal logs from forwarders. A. UTF-8

B. By using the forwarder monitoring add-on. B. UTF-16

C. With internal logs forwarded by forwarders. C. EBCDIC

D. With internal logs forwarded by deployment D. ISO 8859

server.

Question #32 Topic 1

Question #29 Topic 1
Which of the following enables compression for
What options are available when creating universal forwarders in outputs.conf?
custom roles? (Choose all that apply.)
A. [udpout:mysplunk_indexer11]
A. Restrict search terms. compression=true
B. [tcpout] defaultGroup=my_indexers splunk_server_group=HOUSTON
compressed=true
A. [distributedSearch:NYC] default = false
C. /opt/splunkforwarder/bin/splunk enable servers = nyc1:8089, nyc2:8089
compression [distributedSearch:HOUSTON] default = false
servers =
D. [tcpount:my_indexers]
server=mysplunk_indexer1:9997, houston1:8089, houston2:8089
mysplunk_indexer2:9997 decompression=false
B. [distributedSearch] servers =nyc1, nyc2,
houston1, houston2 [distributedSearch:NYC]
default = false servers = nyc1, nyc2
Question #33 Topic 1
[distributedSearch:HOUSTON] default = false
User role inheritance allows what to be
servers = houston1, houston2
inherited from the parent role? (Choose all that
apply.) C. [distributedSearch] servers =nyc1:8089,
nyc2:8089, houston1:8089, houston2:8089
A. Parents
[distributedSearch:NYC] default = false servers =
B. Capabilities
nyc1:8089, nyc2:8089
C. Index access [distributedSearch:HOUSTON] default = false
servers = houston1:8089, houston2:8089
D. Search history
D. [distributedSearch] servers =nyc1:8089;
nyc2:80893; houston1:8089; houston2:8089
Question #34 Topic 1 [distributedSearch:NYC] default = false servers =

Which of the following statements apply to nyc1:8089; nyc2:8089

directory inputs? (Choose all that apply.) [distributedSearch:HOUSTON] default = false
servers = houston1:80897706;
A. All discovered text files are consumed. houston2:80898350
B. Compressed files are ignored by default.

C. Splunk recursively traverses through the Question #36 Topic 1

directory structure.
Which of the following is a valid distributed
D. When adding new log files to a monitored search group?
directory, the forwarder must be restarted to
take them into account. A. [distributedSearch:Paris] default = false
servers = server1, server2

B. [searchGroup:Paris] default = false servers =

Question #35 Topic 1 server1:8089, server2:8089
How would you configure your distsearch.conf C. [searchGroup:Paris] default = false servers =
to allow you to run the search below? server1:9997, server2:9997
sourcetype=access_combined status=200
action=purchase D. [distributedSearch:Paris] default = false
servers = server1:8089; server2:8089
Question #37 Topic 1 Question #38 Topic 1

Local user accounts created in Splunk store For single line event sourcetypes, it is most
passwords in which file? efficient to set SHOULD_LINEMERGE to what
value?
A. $SPLUNK_HOME/etc/passwd
A. True
B. $SPLUNK_HOME/etc/authentication
B. False
C. $SPLUNK_HOME/etc/users/passwd.conf
C. <regex string>
D.
$SPLUNK_HOME/etc/users/authentication.conf D. Newline Character

Correct Answer: A Correct Answer: B

Reference: Reference:

https://docs.splunk.com/Documentation/ https://answers.splunk.com/answers/704533/
Splunk/7.3.1/Admin/User-seedconf what-are-the-best-practices-for-defining-
source-ty.html
  Asami Highly Voted  1 year, 3 months ago
  amporiik Highly Voted  1 year, 2 months
A. $SPLUNK_HOME/etc/passwd
ago
upvoted 8 times
B. False
  ucsdmiami2020 4 weeks, 1 day ago
upvoted 5 times
Per the provided reference URL
  ucsdmiami2020 3 weeks, 1 day ago
https://docs.splunk.com/Documentation/Splun
k/7.3.1/Admin/User-seedconf Agreed B. Quoting the Splunk reference URL
https://docs.splunk.com/Documentation/Splun
"To set the default username and password,
k/latest/Data/Configureeventlinebreaking
place user-seed.conf in
$SPLUNK_HOME/etc/system/local. You must Attribute : SHOULD_LINEMERGE = [true|false]
restart Splunk to enable
Description : When set to true, the Splunk
configurations. If the platform combines several input lines into a
$SPLUNK_HOME/etc/passwd file is present, the single event, with configuration based on the
settings in this file (user-seed.conf) are not settings
used."
described in the next section.
upvoted 1 times
Default : true
10/27/21, 2:57 PM SPLK-1003 Exam – Free
upvoted 1 times
Actual Q&As, Page 1 | ExamTopics
  mikey_76 Most Recent  1 month ago
https://www.examtopics.com/exams/splunk/
splk-1003/custom-view/ 42/107 If it's a single line event, then
SHOULD_LINEMERGE is set to False

upvoted 2 times
Question #39 Topic 1 C. SAML

Which Splunk component does a search head D. RADIUS

primarily communicate with?

A. Indexer
Question #43 Topic 1
B. Forwarder
Which option accurately describes the purpose
C. Cluster master of the HTTP Event Collector (HEC)?

D. Deployment server A. A token-based HTTP input that is secure and

scalable and that requires the use of
forwarders.
Question #40 Topic 1
B. A token-based HTTP input that is secure and
Which layers are involved in Splunk scalable and that does not require the use of
configuration file layering? (Choose all that forwarders.
apply.)
C. An agent-based HTTP input that is secure and
A. App context scalable and that does not require the use of
forwarders.
B. User context
D. A token-based HTTP input that is insecure
C. Global context and non-scalable and that does not require the
D. Forwarder context use of forwarders.

Question #41 Topic 1 Question #44 Topic 1

Which of the following are methods for adding What is the difference between the two
inputs in Splunk? (Choose all that apply.) wildcards ... and * for the monitor stanza in
inputs.conf?
A. CLI
A. ... is not supported in monitor stanzas.
B. Splunk Web
B. There is no difference, they are
C. Editing inpits.conf interchangeable and match anything beyond
D. Editing monitor.conf directory boundaries.

C. * matches anything in that specific directory

path segment, whereas ... recurses through
Question #42 Topic 1 subdirectories as well.
Which of the following authentication types D. ... matches anything in that specific directory
requires scripting in Splunk? path segment, whereas * recurses through
subdirectories as well.
A. ADFS

B. LDAP
Question #45 Topic 1 C. Windows platform only.

What type of data is counted against the D. None of the above.

Enterprise license at a fixed 150 bytes per
event?
Question #49 Topic 1
A. License data
What are the required stanza attributes when
B. Metrics data
configuring the transforms.conf to manipulate
C. Internal Splunk data or remove events?

D. Internal Windows logs A. REGEX, DEST, FORMAT

B. REGEX, SRC_KEY, FORMAT

Question #46 Topic 1 C. REGEX, DEST_KEY, FORMAT

Which valid bucket types are searchable? D. REGEX, DEST_KEY, FORMATTING

(Choose all that apply.)

A. Hot buckets
Question #50 Topic 1
B. Cold buckets
Which of the following indexes come pre-
C. Warm buckets configured with Splunk Enterprise? (Choose all
that apply.)
D. Frozen buckets
A. _licence

B. _internal
Question #47 Topic 1
C. _external
How do you remove missing forwarders from
the Monitoring Console? D. _thefishbucket

A. By restarting Splunk.

B. By rescanning active forwarders. uestion #51 Topic 1

C. By reloading the deployment server. How often does Splunk recheck the LDAP
server?
D. By rebuilding the forwarder asset table.
A. Every 5 minutes.

B. Each time a user logs in.

Question #48 Topic 1
C. Each time Splunk is restarted.
Which Splunk indexer operating system
platform is supported when sending logs from a D. Varies based on LDAP_refresh setting.
Windows universal forwarder?

A. Any OS platform.

B. Linux platform only.

Question #52 Topic 1 Question #55 Topic 1

Where are license files stored? When deploying apps, which attribute in the
forwarder management interface determines
A. $SPLUNK_HOME/etc/secure
the apps that clients install?
B. $SPLUNK_HOME/etc/system
A. App Class
C. $SPLUNK_HOME/etc/licenses
B. Client Class
D. $SPLUNK_HOME/etc/apps/licenses
C. Server Class

D. Forwarder Class
Question #53 Topic 1

In which scenario would a Splunk Administrator

Question #56 Topic 1
want to enable data integrity check when
creating an index? In this sourcetype definition the
MAX_TIMESTAMP_LOOKAHEAD is missing.
A. To ensure that hot buckets are still open for
Which value would fit best?
writers and have not been forced to roll to a
cold state. [sshd_syslog]

B. To ensure that configuration files have not TIME_PREFIX = ^

been tampered with for auditing and/or legal
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N
purposes.
%z
C. To ensure that user passwords have not been
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2} \
tampered with for auditing and/or legal
d{2}:\d{2}:\d{2}
purposes.
SHOULD_LINEMERGE = false -
D. To ensure that data has not been tampered
with for auditing and/or legal purposes. TRUNCATE = 0 -

Event example:
Question #54 Topic 1 2018-04-13 13:42:41.214 -0500 server
sshd[26219]: Connection from 172.0.2.60 port
Which Splunk component performs indexing
47366
and responds to search requests from the
search head? A. MAX_TIMESTAMP_LOOKAHEAD = 5
A. Forwarder B. MAX_TIMESTAMP_LOOKAHEAD = 10
B. Search peer C. MAX_TIMESTAMP_LOOKAHEAD = 20
C. License master D. MAX_TIMESTAMP_LOOKAHEAD = 30
D. Search head cluster
Question #57 Topic 1 Question #60 Topic 1

Which of the following are required when With authentication methods are natively
defining an index in indexes.conf? (Choose all supported within Splunk Enterprise? (Choose all
that apply.) that apply.)

A. coldPath A. LDAP

B. homePath B. SAML

C. frozenPath C. RADIUS

D. thawedPath D. Duo Multifactor Authentication

Question #61 Topic 1

Question #58 Topic 1 Which configuration files are used to transform

raw data ingested by Splunk? (Choose all that
Which of the following apply to how distributed
apply.)
search works? (Choose all that apply.)
A. props.conf
A. The search head dispatches searches to the
peers. B. inputs.conf

B. The search peers pull the data from the C. rawdata.conf

forwarders.
D. transforms.conf
C. Peers run searches in parallel and return their
portion of results.

D. The search head consolidates the individual

results and prepares reports. Question #62 Topic 1

What conf file needs to be edited to set up

distributed search groups?
Question #59 Topic 1
A. props.conf
What hardware attribute would you need to be
changed to increase the number of B. search.conf
simultaneous searches (ad-hoc and scheduled)
on a single C. distsearch.conf

search head? D. distibutedsearch.conf

A. Disk

B. CPUs Question #63 Topic 1

C. Memory After configuring a universal forwarder to

communicate with an indexer, which index can
D. Network interface cards be checked via the Splunk Web UI for a
successful
connection? C. Monitoring Console

A. index=main D. Management Console

B. index=test

C. index=summary Question #67 Topic 1

D. index=_internal When are knowledge bundles distributed to

search peers?

A. After a user logs in.

Question #64 Topic 1
B. When Splunk is restarted.
Which of the following are available input
methods when adding a file input in Splunk C. When adding a new search peer.
Web? (Choose all that apply.)
D. When a distributed search is initiated.
A. Index once.

B. Monitor interval.
Question #68 Topic 1
C. On-demand monitor.
Assume a file is being monitored and the data
D. Continuously monitor. was incorrectly indexed to an exclusive index.
The index is cleaned and now the data must be

reindexed. What other index must be cleaned

Question #65 Topic 1
to reset the input checkpoint information for
Which is a valid stanza for a network input? that file?

A. [udp://172.16.10.1:9997] connection = dns A. _audit

sourcetype = dns
B. _checkpoint
B. [any://172.16.10.1:10001] connection_host =
C. _introspection
ip sourcetype = web
D. _thefishbucket
C. [tcp://172.16.10.1:9997] connection_host =
web sourcetype = web

D. [tcp://172.16.10.1:10001] connection_host = Question #69 Topic 1

dns sourcetype = dns
If an update is made to an attribute in
inputs.conf on a universal forwarder, on which
Splunk component would the fishbucket need
Question #66 Topic 1
to be reset in
Which additional component is required for a
order to reindex the data?
search head cluster?
A. Indexer
A. Deployer
B. Forwarder
B. Cluster Master
C. Search head
D. Deployment server A. inputs.conf

B. monitor.conf

Question #70 Topic 1 C. outputs.conf

How can native authentication be disabled in D. forwarder.conf

Splunk?

A. Remove the $SPLUNK_HOME/etc/passwd file

Question #73 Topic 1
B. Create an empty
On the deployment server, administrators can
$SPLUNK_HOME/etc/passwd file
map clients to server classes using client filters.
C. Set SPLUNK_AUTHENTICATION=false in Which of the following statements is accurate?
splunk-launch.conf
A. The blacklist takes precedence over the
D. Set nativeAuthentication=false in whitelist.
authentication.conf
B. The whitelist takes precedence over the
blacklist.

Question #71 Topic 1 C. Wildcards are not supported in any client

filters.
The volume of data from collecting log files
from 50 Linux servers and 200 Windows servers D. Machine type filters are applied before the
will require multiple indexers. Following best whitelist and blacklist.

practices, which types of

Splunk component instances are needed? Question #74 Topic 1

A. Indexers, search head, universal forwarders, Which configuration file would be used to
license master forward the Splunk internal logs from a search
head to the indexer?
B. Indexers, search head, deployment server,
universal forwarders A. props.conf

C. Indexers, search head, deployment server, B. inputs.conf

license master, universal forwarder
C. outputs.conf
D. Indexers, search head, deployment server,
D. collections.conf
license master, universal forwarder, heavy
forwarder

Question #75 Topic 1

Question #72 Topic 1 When configuring HTTP Event Collector (HEC)
input, how would one ensure the events have
Which of the following configuration files are
been indexed?
used with a universal forwarder? (Choose all
that apply.) A. Enable indexer acknowledgment.
B. Enable forwarder acknowledgment. C. linecount

C. splunk check-integrity -index <index name> D. splunk_server

D. index=_internal component=ACK | stats

count by host
Question #80 Topic 1

Social Security Numbers (PII) data is found in log

Question #76 Topic 1 events, which is against company policy. SSN
format is as follows: 123-44-5678.
What is the valid option for a [monitor] stanza
in inputs.conf? Which configuration file and stanza pair will
mask possible SSNs in the log events?
A. enabled
A. props.conf [mask-SSN] REX = (?ms)^(.)\
B. datasource
<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT =
C. server_name $1<SSN>###-##-$2 KEY = _raw

D. ignoreOlderThan B. props.conf [mask-SSN] REGEX = (?ms)^(.)\

<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT =
$1<SSN>###-##-$2 DEST_KEY = _raw
Question #77 Topic 1 C. transforms.conf [mask-SSN] REX = (?ms)^(.)\
Which of the following is a benefit of <[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT =
distributed search? $1<SSN>###-##-$2 DEST_KEY = _raw

A. Peers run search in sequence. D. transforms.conf [mask-SSN] REGEX = (?

ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
B. Peers run search in parallel. FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw
C. Resilience from indexer failure.

D. Resilience from search head failure. Question #81 Topic 1

Where are deployment server apps mapped to

Question #79 Topic 1 clients?

The Splunk administrator wants to ensure data A. Apps tab in forwarder management interface
is distributed evenly amongst the indexers. To or clientapps.conf.
do this, he runs the following search over the B. Clients tab in forwarder management
last 24 interface or deploymentclient.conf.
hours: index=* C. Server Classes tab in forwarder management
What field can the administrator check to see interface or serverclass.conf.
the data distribution? D. Client Applications tab in forwarder
A. host management interface or clientapps.conf.

B. index
Question #82 Topic 1 Question #85 Topic 1

Which Splunk configuration file is used to Who provides the Application Secret,
enable data integrity checking? Integration, and Secret keys, as well as the API
Hostname when setting up Duo for Multi-Factor
A. props.conf
Authentication in Splunk
B. global.conf
Enterprise?
C. indexes.conf
A. Duo Administrator
D. data_integrity.conf
B. LDAP Administrator

C. SAML Administrator
Question #83 Topic 1
D. Trio Administrator
An admin is running the latest version of Splunk
with a 500 GB license. The current daily volume
of new data is 300 GB per day. To minimize
Question #86 Topic 1
license issues, what is the best way to add 10 TB
When does a warm bucket roll over to a cold
of historical data to the index?
bucket?
A. Buy a bigger Splunk license.
A. When Splunk is restarted.
B. Add 2.5 TB each day for the next 5 days.
B. When the maximum warm bucket age has
C. Add all 10 TB in a single 24 hour period. been reached.

D. Add 200 GB of historical data each day for 50 C. When the maximum warm bucket size has
days. been reached.

D. When the maximum number of warm

buckets is reached.
Question #84 Topic 1

After how many warnings within a rolling 30-

day period will a license violation occur with an Question #87 Topic 1
enforced Enterprise license?
In a distributed environment, which Splunk
A. 1 component is used to distribute apps and
configurations to the other Splunk instances?
B. 3
A. Indexer
C. 4
B. Deployer
D. 5
C. Forwarder

D. Deployment server
Question #88 Topic 1 A. Use Local Windows host monitoring.

How is a remote monitor input distributed to B. Use Windows Remote Inputs with WMI.
forwarders?
C. Use Local Windows network monitoring.
A. As an app.
D. Use an index with an Index Data Type of
B. As a forward.conf file. Metrics.

C. As a monitor.conf file.

D. As a forwarder monitor profile. Question #92 Topic 1

Which of the following must be done to define

user permissions when integrating Splunk with
Question #89 Topic 1
LDAP?
How is data handled by Splunk during the input
A. Map Users
phase of the data ingestion process?
B. Map Groups
A. Data is treated as streams.
C. Map LDAP Inheritance
B. Data is broken up into events.
D. Map LDAP to Active Directory
C. Data is initially written to disk.

D. Data is measured by the license meter.

Question #93 Topic 1

In which phase do indexed extractions in

Question #90 Topic 1
props.conf occur?
Which option on the Add Data menu is most
A. Inputs phase
useful for testing data ingestion without
creating inputs.conf? B. Parsing phase

A. Upload option C. Indexing phase

B. Forward option D. Searching phase

C. Monitor option

D. Download option Question #94 Topic 1

Which of the following statements describes

how distributed search works?
Question #91 Topic 1
A. Forwarders pull data from the search peers.
An organization wants to collect Windows
performance data from a set of clients, B. Search heads store a portion of the
however, installing Splunk software on these searchable data.
clients is not
C. The search head dispatches searches to the
allowed. What option is available to collect this search peers.
data in Splunk Enterprise?
D. Search results are replicated within the D. Role inheritance
indexer cluster.

Question #98 Topic 1

Question #95 Topic 1
Which of the following is the use case for the
Which feature in Splunk allows Event Breaking, deployment server feature of Splunk?
Timestamp extractions, and any advanced
A. Managing distributed workloads in a Splunk
configurations found in props.conf to be
environment.
validated all
B. Automating upgrades of Splunk forwarder
through the UI?
installations on endpoints.
A. Apps
C. Orchestrating the operations and scale of a
B. Search containerized Splunk deployment.

C. Data preview D. Updating configuration and distributing apps

to processing components, primarily
D. Forwarder inputs
forwarders.

Question #96 Topic 1

Question #99 Topic 1
Which of the following statements accurately
When running a real-time search, search results
describes using SSL to secure the feed from a
are pulled from which Splunk component?
forwarder?
A. Heavy forwarders and seach peers
A. It does not encrypt the certificate password.
B. Heavy forwarders
B. SSL automatically compresses the feed by
default. C. Search heads

C. It requires that the forwarder be set to D. Search peers

compressed=true.
Question #100 Topic 1
D. It requires that the receiver be set to
Using SEDCMD in props.conf allows raw data to
compression=true.
be modified. With the given event below, which
option will mask the first three digits of the
AcctID
Question #97 Topic 1
field resulting output: [22/Oct/2018:15:50:21]
Which feature of Splunk's role configuration can
VendorID=1234 Code=B AcctID=xxx5309
be used to aggregate multiple roles intended
for groups of users? Event:

A. Linked roles [22/Oct/2018:15:50:21] VendorID=1234

Code=B AcctID=xxx5309
B. Grantable roles

C. Role federation
A. SEDCMD-1acct =
s/VendorID=\d{3}(\d{4})/VendorID=xxx/g
Question #103 Topic 1
B. SEDCMD-xxxAcct =
Which of the following is accurate regarding the
s/AcctID=\d{3}(\d{4})/AcctID=xxx/g
input phase?
C. SEDCMD-1acct =
A. Breaks data into events with timestamps.
s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g
B. Applies event-level transformations.
D. SEDCMD-1acct =
s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g C. Fine-tunes metadata.

D. Performs character encoding.

Question #101 Topic 1

Which of the following accurately describes Question #104 Topic 1

HTTP Event Collector indexer
acknowledgement? When indexing a data source, which fields are
considered metadata?
A. It requires a separate channel provided by
the client. A. source, host, time

B. It is configured the same as indexer B. time, sourcetype, source

acknowledgement used to protect in-flight C. host, raw, sourcetype
data.
D. sourcetype, source, host
C. It can be enabled at the global setting level.
Question #105 Topic 1
D. It stores status information on the Splunk
server. What is the default value of LINE_BREAKER?

A. \r\n

Question #102 Topic 1 B. ([\r\n]+)

What action is required to enable forwarder C. \r+\n+

management in Splunk Web? D. (\r\n+)
A. Navigate to Settings > Server Settings >
General Settings, and set an App server port.
Question #106 Topic 1
B. Navigate to Settings > Forwarding and
receiving, and click on Enable Forwarding. Which of the following monitor inputs stanza
headers would match all of the following files?
C. Create a server class and map it to a client in
SPLUNK_HOME/etc/system/local/serverclass.co /var/log/www1/secure.log
nf.
/var/log/www/secure.l
D. Place an app in the
/var/log/www/logs/secure.logs
SPLUNK_HOME/etc/deployment-apps directory
of the deployment server. /var/log/www2/secure.log
A. [monitor:///var/log/.../secure.*] D. transforms.conf

B. [monitor:///var/log/www1/secure.*]

C. [monitor:///var/log/www1/secure.log] Question #110 Topic 1

D. [monitor:///var/log/www*/secure.*] After automatic load balancing is enabled on a

forwarder, the time interval for switching
indexers can be updated by using which of the
Question #107 Topic 1 following

What are the values for host and index for attributes?
[stanza1] used by Splunk during index time,
A. channelTTL
given the following configuration files?
B. connectionTimeout
A. host=server1 index=unixinfo
C. autoLBFrequency
B. host=server1 index=searchinfo
D. secsInFailureInterval
C. host=searchsvr1 index=searchinfo

D. host=unixsvr1 index=unixinfo
Question #111 Topic 1

A log file contains 193 days worth of

Question #108 Topic 1
timestamped events. Which monitor stanza
An index stores its data in buckets. Which would be used to collect data 45 days old and
default directories does Splunk use to store newer from that
buckets? (Choose all that apply.)
log file?
A. bucketdb
A. followTail = -45d
B. frozendb
B. ignore = 45d
C. colddb
C. includeNewerThan = 45d
D. db
D. ignoreOlderThan = 45d

Question #112 Topic 1

Question #109 Topic 1
After an Enterprise Trial license expires, it will
The LINE_BREAKER attribute is configured in automatically convert to a Free license. How
which configuration file? many days is an Enterprise Trial license valid
before
A. props.conf
this conversion occurs?
B. indexes.conf
A. 90 days
C. inputs.conf
B. 60 days
C. 7 days sending configurations, can automatically
restart
D. 14 days
remote Splunk instances.

D. Allows management of remote Splunk

Question #113 Topic 1
instances, requires Enterprise license, handles
Consider a company with a Splunk distributed job of sending configurations, can manually
environment in production. The Compliance restart
Department wants to start using Splunk;
remote Splunk instances.
however, they

want to ensure that no one can see their

reports or any other knowledge objects. Which Question #115 Topic 1
Splunk Component can be added to implement
Which Splunk forwarder has a built-in license?
this policy
A. Light forwarder
for the new team?
B. Heavy forwarder
A. Indexer
C. Universal forwarder
B. Deployment server
D. Cloud forwarder
C. Universal forwarder

D. Search head
Question #116 Topic 1

What happens when the same username exists

Question #114 Topic 1
in Splunk as well as through LDAP?
Which of the following is an appropriate
A. Splunk user is automatically deleted from
description of a deployment server in a non-
authentication.conf.
cluster environment?
B. LDAP settings take precedence.
A. Allows management of local Splunk
instances, requires Enterprise license, handles C. Splunk settings take precedence.
job of sending configurations packaged as apps,
can D. LDAP user is automatically deleted from
authentication.conf.
automatically restart remote Splunk instances.

B. Allows management of remote Splunk

instances, requires Enterprise license, handles Question #117 Topic 1
job of sending configurations, can automatically Consider the following stanza in inputs.conf:
restart remote Splunk instances. What will the value of the source filed be for
C. Allows management of remote Splunk events generated by this scripts input?
instances, requires no license, handles job of A. /opt/splunk/etc/apps/search/bin/lister.sh

B. unknown
C. lister

D. lister.sh

*Question #118 Topic 1

Which of the following applies only to Splunk

index data integrity check?

A. Lookup table

B. Summary Index

C. Raw data in the index

D. Data model acceleration

Question #119 Topic 1

Which of the following types of data count

against the license daily quota?

A. Replicated data

B. splunkd logs

C. Summary index data

D. Windows internal logs