Professional Documents
Culture Documents
7.
1 / 23
SPLK-1003 Splunk Enterprise Certified Admin
Study online at https://quizlet.com/_b6eqdt
A license stack is A collection of li-
a) A distributed license environment governed by a censes whose in-
license master. dividual licensing
b) A quantity of license volume "carved out" for a volume amounts
specific purpose. aggregate to
c) A collection of licenses whose individual licensing serve as a single
volume amounts aggregate to serve as a single uni- unified amount of
fied amount of indexing volume. indexing volume.
d) A Splunk Enterprise instance controlled by a li-
cense master.
10. To start Splunk from the command line, you need to bin
be in the _____ directory.
a) bin
b) etc
c) lib
d) var
13. With which Splunk component can you forward data Forwarder
directly to a search head?
a) .conf file
b) Indexer
c) Receiver
d) Forwarder
17. Which of the following are the two categories of Processing and
Splunk components? Management
a) Searching and Deploying
b) Parsing and Indexing
c) Delivery and Installation
d) Processing and Management
19. What happens when there are multiple instances of Splunk combines
the same configuration file? all stanzas from all
a) Splunk asks which one you want to delete configuration files
b) Splunk combines all stanzas from all configuration and applies them
files and applies them globally globally
c) Splunk evaluates them based on precedence
d) Splunk crashes
23. The general precedence for configuration files is local then default
a) local then default
b) default then local
c) local then modified
d) modified than local
24. Which of the following is the best way to see which Use btool
stanzas from which configuration files Splunk is us-
4 / 23
SPLK-1003 Splunk Enterprise Certified Admin
Study online at https://quizlet.com/_b6eqdt
ing at runtime?
a) Run the search "runtime=*"
b) Use btool
c) Check the Linux PIDs or Windows Perfmon for
running processes
d) Delete all unnecessary configuration files
36. The CLI command to check hashes to validate data is ./splunk check-in-
a) ./splunk start --accept-license tegrity -bucket-
b) ./splunk check-integrity -bucketPath [ bucket path Path [ bucket path
] [ -verbose ] ] [ -verbose ]
c) ./splunk cmd -btool list [ filename ]
d) ./splunk cmd <tool>
39. The three types of Splunk authentication are Native, LDAP, and
a) Web, CLI, and hybrid scripted.
b) TLS, Splunkauth, and root
c) Native, LDAP, and scripted.
d) Kerberos, SSL, and SSH.
40. Which of the following is not one of the four default sudo
roles in Splunk?
a) can_delete
b) power
c) sudo
d) admin
41. How are users, roles, and capabilities related? Users are as-
a) Roles are assigned to users, and users contain signed roles, and
sets of capabilities roles are sets of
b) Users are assigned roles, and roles are sets of capabilities
capabilities
c) Users and roles are both assigned capabilities
d) Capabilities are directly assigned to users. Splunk
does not have roles
43. False
7 / 23
SPLK-1003 Splunk Enterprise Certified Admin
Study online at https://quizlet.com/_b6eqdt
True or False: If you need custom roles outside of
the Splunk default ones, you should edit the Splunk
default roles to meet your needs.
54. What is the CLI command to add a monitor input? ./splunk add moni-
a) ./splunk add monitor input <monitor://> tor <path>
b) ./splunk add input <monitor://>
c) ./splunk add input <path>
d) ./splunk add monitor <path>
9 / 23
SPLK-1003 Splunk Enterprise Certified Admin
Study online at https://quizlet.com/_b6eqdt
c) 2, 1, 5, 3, 4
d) 1, 2, 5, 4, 3
60. Which of the following is not one of the three scaling Parsing
tiers?
a) Search management
b) Parsing
c) Indexing
d) Data input
61. True or False: A FQDN is not required for search head False
clustering.
62. three
10 / 23
SPLK-1003 Splunk Enterprise Certified Admin
Study online at https://quizlet.com/_b6eqdt
Splunk recommends a minimum of ___ cluster mem-
bers in a search head cluster.
a) three
b) two
c) four
d) one
64. What is the CLI command to add a cluster member? splunk add
a) splunk new shcluster-member -current_mem- shcluster-mem-
ber_uri <URI>:<management_port> ber
b) splunk add shcluster-member -current_mem- -current_mem-
ber_uri <URI>:<management_port> ber_uri
c) splunk shcluster-member-add -<URI> <URI>:<manage-
d) splunk add shcluster-member -captain_uri <Cap- ment_port>
tain_URI>:<management_port>
65. What is the CLI command to bootstrap a cluster cap- splunk bootstrap
tain? shcluster-captain
a) splunk bootstrap shcluster-captain -servers_list -servers_list
"<URI>:<management_port>,... >" -auth <user- "<URI>:<manage-
name>:<password> ment_port>,... >"
b) splunk enable captain -servers_list "<URI>:<man- -auth
agement_port>,... >" -auth <username>:<password> <user-
c) splunk add shcluster-captain -servers_list name>:<pass-
"<URI>:<management_port>,... >" -auth <user- word>
name>:<password>
d) splunk makecaptain -servers_list "<URI>:<man-
agement_port>,... >" -auth <username>:<password>
66.
11 / 23
SPLK-1003 Splunk Enterprise Certified Admin
Study online at https://quizlet.com/_b6eqdt
During the parsing phase, Splunk Breaks the data
a) Accepts forwarding, monitoring, network, and stream into indi-
scripted inputs vidual events
b) Breaks the data stream into individual events
c) Writes the data onto index buckets
d) Authenticates against the master node
68. How are compressed file inputs handled in Splunk? Splunk uncom-
a) Splunk uncompresses them before processing. presses them be-
b) Splunk leaves them compressed, but is able to fore processing.
process their contents.
c) Splunk ignores compressed files as they are not a
supported file input type.
d) Splunk indexes the compressed files as if they
were a standard file type, ignoring the compressed
contents (but the filename and other metadata will
still be available).
72. Which type of forwarder would you use if you want to Heavy
be able to index data locally?
a) Universal
b) Heavy
c) Light
d) SNMP
74. Which preliminary step should be taken before data Configure receiv-
is forwarded to an indexer or search head? ing on the indexer
a) Configure the forwarder to collect and send data or search head
b) Start the forwarder
c) Install a forwarder
d) Configure receiving on the indexer or search head
80. Which two types of load balancing are available for Specified time or
forwarders? volume interval
a) Number of forwarders or number of indexers
b) License type or time interval
c) Specified size of instance or age of data
d) Specified time or volume interval
84. Which of the following is the best definition of a serv- Groups of Splunk
er-class? Enterprise in-
a) A Windows Server-specific function that allows stances that re-
you to monitor Exchange and Active Directory. ceive content
b) Groups of Splunk Enterprise instances that receive from deployment
content from deployment servers. servers.
c) A specific stanza in server.conf that you configure
on each heavy forwarder in your distributed environ-
ment.
d) A Splunk Enterprise instance that acts as a central-
ized configuration manager.
85. Which of the following can not be included in a de- Heavy forwarders
ployment app that you want to
a) A bundle of arbitrary content that you want to distribute to de-
distribute to deployment clients. ployment clients.
b) A full Splunk Enterprise app that you want to dis-
tribute to deployment clients.
c) Scripts and supporting files that you want to dis-
tribute to deployment clients.
d) Heavy forwarders that you want to distribute to
deployment clients.
87. What is the CLI command to refresh the deployment splunk reload de-
server after creating a deployment app? ploy-server
a) splunk reload deploy-server
b) splunk restart
15 / 23
SPLK-1003 Splunk Enterprise Certified Admin
Study online at https://quizlet.com/_b6eqdt
c) splunk refresh deployment-server
d) splunk start --accept-license
88. Where can you view deployment apps on Splunk Forwarder man-
web? agement
a) Add data
b) Receiver management
c) Forwarder management
d) Monitoring console
94. The CLI command to add a monitor path is splunk add moni-
a) splunk <path> monitor tor <path>
b) splunk -add <path> monitor
c) splunk -monitor <path>
d) splunk add monitor <path>
16 / 23
SPLK-1003 Splunk Enterprise Certified Admin
Study online at https://quizlet.com/_b6eqdt
95. Which of the following is the best description of a Batched files are
Splunk batched file? ingested, then
a) Batched files are a type of metrics index. deleted
b) Batched files are not ingested at all, they are ig-
nored.
c) Batched files are ingested, then deleted.
d) Batched files are treated like any other data input.
97. True or False: Splunk Cloud accepts inputs only from True
configured with valid SSL certificates.
99. How should you handle SNMP data in a Splunk envi- Have the sender
ronment? write the SNMP
a) Forward the SNMP data to Splunk with a heavy data to a file, then
forwarder. have Splunk mon-
b) Send the SNMP data directly to Splunk. itor that file.
c) Have the sender write the SNMP data to a file, then
have Splunk monitor that file.
d) Splunk cannot ingest SNMP data.
103. To poll a database, web service, or API, you would scripted input
want to use a
a) scripted input
b) network input
c) heavy forwarder
d) universal forwarder
106. Perfmon, registry, and WMI are all examples of Windows agent-
a) UNIX/Linux agentless inputs less inputs
b) Windows agentless inputs
c) network agentless inputs
d) Forwarder agentless inputs
107. What is the best description of a "first-time run expe- All of the above
rience?"
a) Built-in GUI tools to manage Splunk infrastructure
b) A built-in dashboard that comes with an app that
shows the current state of the Splunk environment
c) A GUI/visual function of an app that auto-discovers
infrastructure or other Splunk components
18 / 23
SPLK-1003 Splunk Enterprise Certified Admin
Study online at https://quizlet.com/_b6eqdt
d) All of the above
e) None of the above
108. True or False: The Splunk app for Windows Infrastruc- False
ture is a premium app (costs money).
109. To send data using the HEC, which components are A web application
required? and at least one
a) A web application, at least one forwarder, and at indexer or search
least one indexer or search head. head
b) A web application, at least one heavy forwarder,
and an indexer cluster.
c) A web application and at least one indexer or
search head.
d) A web application, a deployment server, and at
least one indexer or search head.
112. Select the best description of a source type. The default field
a) The default field that identifies the structure of the that identifies the
data in an event structure of the
b) The hostname of the machine from which the data data in an event
originates
c) A user interface associated with an app
d) An alternate name that you assign to a field
119. Which time zone is the default for timestamps? The time zone
a) The time zone, if specified, in the raw data of the Splunk in-
b) UTC stance
c) The time zone of the Splunk instance
d) GMT
e) Question
120. Values in the ___ field are stored in ___ time. _time, UNIX
a) timestamp, Epoch
b) _time, UTC
c) timestamp, LINUX
d) _time, UNIX
126. When anonymizing data, which .conf file tells Splunk inputs.conf
where the data to be anonymized is?
a) transforms.conf
b) inputs.conf
c) props.conf
d) server.conf
23 / 23