Question No. 1

After how many warnings within a rolling 30-day period will a license violation occur with an enforced

Enterprise license?

A1

B3

C4

D5

Show Answer

Correct Answer: D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

'Enterprise Trial license. If you get five or more warnings in a rolling 30 days period, you are in violation of your license. Dev/Test license. If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. Developer license. If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. BUT for Free license. If you get three or more warnings in a rolling 30 days period, you are in violation of your license.'

Question No. 2

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

AMAX_TIMESTAMP_L0CKAHEAD = 5

BMAX_TIMESTAMP_LOOKAHEAD - 10

CMAX_TIMESTAMF_LOOKHEAD = 20

DMAX TIMESTAMP LOOKAHEAD - 30

Show Answer

Correct Answer: D

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

'Specify how far (how many characters) into an event Splunk software should look for a timestamp.' since TIME_PREFIX = ^ and timestamp is from 0-29 position, so D=30 will pick up the WHOLE timestamp correctly.

Question No. 3

Given a forwarder with the following outputs.conf configuration:

[tcpout : mypartner]

Server = 145.188.183.184:9097

[tcpout : hfbank]

server = inputsl . mysplunkhfs . corp : 9997 , inputs2 . mysplunkhfs . corp : 9997

Which of the following is a true statement?

AData will continue to flow to hfbank if 145.1 g a) 183.184 : 9097 is unreachable.

BData is not encrypted to mypartner because 145.188 .183.184 : 9097 is specified by IP.

CData is encrypted to mypartner because 145.183.184 : 9097 is specified by IP.

DData will eventually stop flowing everywhere if 145.188.183.184 : 9097 is unreachable.

Show Answer

Correct Answer: A

The outputs.conf file defines how forwarders send data to receivers1.You can specify some output configurations at installation time (Windows universal forwarders only) or the CLI, but most advanced configuration settings require that you edit outputs.conf1.

The [tcpout:...] stanza specifies a group of forwarding targets that receive data over TCP2.You can define multiple groups with different names and settings2.

The server setting lists one or more receiving hosts for the group, separated by commas2.If you specify multiple hosts, the forwarder load balances the data across them2.

Therefore, option A is correct, because the forwarder will send data to both inputsl.mysplunkhfs.corp:9997 and inputs2.mysplunkhfs.corp:9997, even if 145.188.183.184:9097 is unreachable.

Question No. 4

Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)

Ainputs.conf

Bmonitor.conf

Coutputs.conf

Dforwarder.conf

Show Answer

Correct Answer: A, C

https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Configuretheuniversalforwarder

--Key configuration files are: inputs.conf controls how the forwarder collects data. outputs.conf controls how the forwarder sends data to an indexer or other forwarder server.conf for connection and performance tuning deploymentclient.conf for connecting to a deployment server

Configuretheuniversalforwarder

Question No. 5

How can native authentication be disabled in Splunk?

ARemove the $SPLUNK_HOME/etc/passwd file

BCreate an empty $SPLUNK_HOME/etc/passwd file

CSet SPLUNK_AUTHENTICATION=false in splunk-launch.conf

DSet nativeAuthentication=false in authentication.conf

Show Answer

Correct Answer: B

Free Splunk SPLK-1003 Exam Actual Questions

The questions for SPLK-1003 were last updated On Dec 16, 2024