Is this exam completely free?

Examcademy offers a free preview for every exam, covering around 20% of the total questions. Full access is available with a paid upgrade.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! Examcademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our mock exams are built and reviewed with the help of AI and community contributions, staying aligned with real-world exam objectives.

SPLK-1003Free trial

By splunk

Verified

25Q per page

Question 1

Which setting in indexes.conf allows data retention to be controlled by time?

A: maxDaysToKeep
B: moveToFrozenAfter
C: maxDataRetentionTime
D: frozenTimePeriodInSecs

—

Question 2

Where should apps be located on the deployment server that the clients pull from?

A: $SPLUNK_HOME/etc/apps
B: $SPLUNK_HOME/etc/search
C: $SPLUNK_HOME/etc/master-apps
D: $SPLUNK_HOME/etc/deployment-apps

—

Question 3

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
Event:
[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

A: SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g
B: SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g
C: SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g
D: SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

—

Question 4

Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

A: It requires a separate channel provided by the client.
B: It is configured the same as indexer acknowledgement used to protect in-flight data.
C: It can be enabled at the global setting level.
D: It stores status information on the Splunk server.

—

Question 5

What action is required to enable forwarder management in Splunk Web?

A: Navigate to Settings > Server Settings > General Settings, and set an App server port.
B: Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.
C: Create a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.
D: Place an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

—

Question 6

Which of the following is accurate regarding the input phase?

A: Breaks data into events with timestamps.
B: Applies event-level transformations.
C: Fine-tunes metadata.
D: Performs character encoding.

—

Question 7

When indexing a data source, which fields are considered metadata?

A: source, host, time
B: time, sourcetype, source
C: host, raw, sourcetype
D: sourcetype, source, host

—

Question 8

What is the default value of LINE_BREAKER?

A: \r\n
B: ([\r\n]+)
C: \r+\n+
D: (\r\n+)

—

Question 9

Which of the following monitor inputs stanza headers would match all of the following files?
/var/log/www1/secure.log
/var/log/www/secure.l
/var/log/www/logs/secure.logs
/var/log/www2/secure.log

A: [monitor:///var/log/.../secure.*]
B: [monitor:///var/log/www1/secure.*]
C: [monitor:///var/log/www1/secure.log]
D: [monitor:///var/log/www*/secure.*]

—

Question 10

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

A: host=server1 index=unixinfo
B: host=server1 index=searchinfo
C: host=searchsvr1 index=searchinfo
D: host=unixsvr1 index=unixinfo

—

Question 11

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

A: bucketdb
B: frozendb
C: colddb
D: db

—

Question 12

The LINE_BREAKER attribute is configured in which configuration file?

A: props.conf
B: indexes.conf
C: inputs.conf
D: transforms.conf

—

Question 13

This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf
[monitor:///var/log/messages]
sourcetype=syslog
index=syslog
A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file:
/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
[monitor:///var/log/maillog]
sourcetype=maillog
index=syslog
Which file is now monitored?

A: /var/log/messages
B: /var/log/maillog
C: /var/log/maillog and /var/log/messages
D: none of the above

—

Question 14

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

A: channelTTL
B: connectionTimeout
C: autoLBFrequency
D: secsInFailureInterval

—

Question 15

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

A: followTail = -45d
B: ignore = 45d
C: includeNewerThan = 45d
D: ignoreOlderThan = 45d

—

Question 16

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A: 90 days
B: 60 days
C: 7 days
D: 14 days

—

Question 17

Consider a company with a Splunk distributed environment in production. The Compliance Department wants to start using Splunk; however, they want to ensure that no one can see their reports or any other knowledge objects. Which Splunk Component can be added to implement this policy for the new team?

A: Indexer
B: Deployment server
C: Universal forwarder
D: Search head

—

Question 18

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

A: Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps, can automatically restart remote Splunk instances.
B: Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.
C: Allows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.
D: Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

—

Question 19

Which Splunk forwarder has a built-in license?

A: Light forwarder
B: Heavy forwarder
C: Universal forwarder
D: Cloud forwarder

—

Question 20

What happens when the same username exists in Splunk as well as through LDAP?

A: Splunk user is automatically deleted from authentication.conf.
B: LDAP settings take precedence.
C: Splunk settings take precedence.
D: LDAP user is automatically deleted from authentication.conf.

—

Question 21

Consider the following stanza in inputs.conf:

What will the value of the source filed be for events generated by this scripts input?

A: /opt/splunk/etc/apps/search/bin/lister.sh
B: unknown
C: lister
D: lister.sh

—

Question 22

Which of the following applies only to Splunk index data integrity check?

A: Lookup table
B: Summary Index
C: Raw data in the index
D: Data model acceleration

—

Question 23

Which of the following types of data count against the license daily quota?

A: Replicated data
B: splunkd logs
C: Summary index data
D: Windows internal logs

—

Question 24

In which phase of the index time process does the license metering occur?

A: Input phase
B: Parsing phase
C: Indexing phase
D: Licensing phase

—

Question 25

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches -

Edit shared objects and alerts -
Not allowed to create custom roles

A: admin
B: power
C: user
D: splunk-system-role

—

Page 1 of 7 • Questions 1-25 of 173

1 2 3 4 5

→

Free preview mode

Enjoy the free questions and consider upgrading to gain full access!