Is this exam completely free?

ExamCademy offers a free preview for every exam, covering around 20% of the total questions. Full access to all questions is available for free by signing up for an account. Optional supporters unlock AstroTutor (AI tutor) and advanced study modes.

Can I practice IT certification exams from Microsoft, AWS, or CompTIA?

Yes! ExamCademy supports a wide range of IT certification exams including Microsoft Azure, AWS Cloud Practitioner, and CompTIA A+ and Security+.

How accurate are the mock exams?

Our practice questions are community-created and moderator-reviewed to align with realistic exam objectives, style, and difficulty.

SPLK-1003 by Splunk - Page 1 | ExamCademy

Mode Selection

Question 1

Question 2

Question 3

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
Event:
[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

A SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g
B SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g
C SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g
D SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

Question 4

Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

A It requires a separate channel provided by the client.
B It is configured the same as indexer acknowledgement used to protect in-flight data.
C It can be enabled at the global setting level.
D It stores status information on the Splunk server.

Question 5

What action is required to enable forwarder management in Splunk Web?

A Navigate to Settings > Server Settings > General Settings, and set an App server port.
B Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.
C Create a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.
D Place an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Question 6

Which of the following is accurate regarding the input phase?

A Breaks data into events with timestamps.
B Applies event-level transformations.
C Fine-tunes metadata.
D Performs character encoding.

Question 7

When indexing a data source, which fields are considered metadata?

A source, host, time
B time, sourcetype, source
C host, raw, sourcetype
D sourcetype, source, host

Question 8

What is the default value of LINE_BREAKER?

A \r\n
B ([\r\n]+)
C \r+\n+
D (\r\n+)

Question 9

Which of the following monitor inputs stanza headers would match all of the following files?
/var/log/www1/secure.log
/var/log/www/secure.l
/var/log/www/logs/secure.logs
/var/log/www2/secure.log

A [monitor:///var/log/.../secure.*]
B [monitor:///var/log/www1/secure.*]
C [monitor:///var/log/www1/secure.log]
D [monitor:///var/log/www*/secure.*]

Question 10

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

Question 11

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

A bucketdb
B frozendb
C colddb
D db

Question 12

The LINE_BREAKER attribute is configured in which configuration file?

A props.conf
B indexes.conf
C inputs.conf
D transforms.conf

Question 13

This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf
[monitor:///var/log/messages]
sourcetype=syslog
index=syslog
A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file:
/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
[monitor:///var/log/maillog]
sourcetype=maillog
index=syslog
Which file is now monitored?

A /var/log/messages
B /var/log/maillog
C /var/log/maillog and /var/log/messages
D none of the above

Question 14

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

A channelTTL
B connectionTimeout
C autoLBFrequency
D secsInFailureInterval

Question 15

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

A followTail = -45d
B ignore = 45d
C includeNewerThan = 45d
D ignoreOlderThan = 45d

Question 16

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A 90 days
B 60 days
C 7 days
D 14 days

Question 17

Consider a company with a Splunk distributed environment in production. The Compliance Department wants to start using Splunk; however, they want to ensure that no one can see their reports or any other knowledge objects. Which Splunk Component can be added to implement this policy for the new team?

A Indexer
B Deployment server
C Universal forwarder
D Search head

Question 18

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

A Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps, can automatically restart remote Splunk instances.
B Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.
C Allows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.
D Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Question 19

Which Splunk forwarder has a built-in license?

A Light forwarder
B Heavy forwarder
C Universal forwarder
D Cloud forwarder

Question 20

What happens when the same username exists in Splunk as well as through LDAP?

A Splunk user is automatically deleted from authentication.conf.
B LDAP settings take precedence.
C Splunk settings take precedence.
D LDAP user is automatically deleted from authentication.conf.

Question 21

Consider the following stanza in inputs.conf:

Question 22

Which of the following applies only to Splunk index data integrity check?

A Lookup table
B Summary Index
C Raw data in the index
D Data model acceleration

Question 23

Which of the following types of data count against the license daily quota?

A Replicated data
B splunkd logs
C Summary index data
D Windows internal logs

Question 24

In which phase of the index time process does the license metering occur?

A Input phase
B Parsing phase
C Indexing phase
D Licensing phase

Question 25

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches -

Edit shared objects and alerts -
Not allowed to create custom roles

A admin
B power
C user
D splunk-system-role

Page 1 of 7 • Questions 1-25 of 173

1 2 3 4 5

→

Know a question that should be here? Contribute to this exam

Which setting in indexes.conf allows data retention to be controlled by time?

A maxDaysToKeep
B moveToFrozenAfter
C maxDataRetentionTime
D frozenTimePeriodInSecs

Where should apps be located on the deployment server that the clients pull from?

A $SPLUNK_HOME/etc/apps
B $SPLUNK_HOME/etc/search
C $SPLUNK_HOME/etc/master-apps
D $SPLUNK_HOME/etc/deployment-apps

A host=server1 index=unixinfo
B host=server1 index=searchinfo
C host=searchsvr1 index=searchinfo
D host=unixsvr1 index=unixinfo

What will the value of the source filed be for events generated by this scripts input?

A /opt/splunk/etc/apps/search/bin/lister.sh
B unknown
C lister
D lister.sh

SPLK-1003Preview