SPLK-1003 exam

Which of the following is accurate regarding the input phase?A . Breaks data into events with timestamps.B . Applies event-level transformations.C . Fine-tunes metadata.D . Performs character encoding.View AnswerAnswer: D Explanation: https://docs.splunk.com/Documentation/Splunk/latest/Deploy/Datapipeline "The data pipeline segments in depth. INPUT - In the input segment, Splunk software consumes data. It acquires...

In which phase do indexed extractions in props.conf occur?A . Inputs phaseB . Parsing phaseC . Indexing phaseD . Searching phaseView AnswerAnswer: B Explanation: The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE). Input phase inputs.conf props.conf CHARSET NO_BINARY_CHECK...

Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678. Which configuration file and stanza pair will mask possible SSNs in the log events?A . props.conf [mask-SSN] REX = (?ms)^(.)<[SSN>d{3}-?d{2}-?(d{4}.*)$" FORMAT = $1<SSN>###-##-$2 KEY = _rawB . props.conf [mask-SSN]...

In which phase do indexed extractions in props.conf occur?A . Inputs phaseB . Parsing phaseC . Indexing phaseD . Searching phaseView AnswerAnswer: B Explanation: The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE). Input phase inputs.conf props.conf CHARSET NO_BINARY_CHECK...

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations found in props.conf to be validated all through the UI?A . AppsB . SearchC . Data previewD . Forwarder inputsView AnswerAnswer: C Explanation: http://www.splunk.com/view/SP-CAAAGPR

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing . Event example: Which value would fit best?A . MAX_TIMESTAMP_L0CKAHEAD = 5B . MAX_TIMESTAMP_LOOKAHEAD - 10C . MAX_TIMESTAMF_LOOKHEAD = 20D . MAX TIMESTAMP LOOKAHEAD - 30View AnswerAnswer: D Explanation: https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition "Specify how far (how many characters) into an event Splunk software should...

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?A . splunk btool server list --debugB . splunk list forward-indexerC . splunk list forward-serverD . splunk btool indexes list --debugView AnswerAnswer: C Explanation: Reference: https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-configure-a-Splunk-Forwarder-on-Linux/m-p/72078

In which phase do indexed extractions in props.conf occur?A . Inputs phaseB . Parsing phaseC . Indexing phaseD . Searching phaseView AnswerAnswer: B Explanation: The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE). Input phase inputs.conf props.conf CHARSET NO_BINARY_CHECK...

Which Splunk component requires a Forwarder license?A . Search headB . Heavy forwarderC . Heaviest forwarderD . Universal forwarderView AnswerAnswer: B

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?A . DeployerB . Cluster masterC . Deployment serverD . Search head cluster masterView AnswerAnswer: C Explanation: https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: "The deployment server distributes deployment apps to clients."