SPLK-1003 exam

Within props. conf, which stanzas are valid for data modification? (select all that apply)A . HostB . ServerC . SourceD . SourcetypeView AnswerAnswer: A,C,D Explanation: https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf "* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts." https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

What action is required to enable forwarder management in Splunk Web?A . Navigate to Settings > Server Settings > General Settings, and set an App server port.B . Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.C . Create a server class and map it to a...

In which phase do indexed extractions in props.conf occur?A . Inputs phaseB . Parsing phaseC . Indexing phaseD . Searching phaseView AnswerAnswer: B Explanation: The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE). Input phase inputs.conf props.conf CHARSET NO_BINARY_CHECK...

A log file contains 193 days worth of timestamped events . Which monitor stanza would be used to collect data 45 days old and newer from that log file?A . followTail = -45dB . ignore = 45dC . includeNewerThan = -35dD . ignoreOlderThan = 45dView AnswerAnswer: D Explanation: Reference: https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Configuretimestamprecognition

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?A . To ensure that hot buckets are still open for writes and have not been forced to roll to a cold stateB . To ensure that configuration files have not been tampered with...

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?A . Universal forwarderB . Parsing forwarderC . Heavy forwarderD . Advanced forwarderView AnswerAnswer: C

How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON A) B) C) D) A . option AB . Option BC . Option CD . Option DView AnswerAnswer: C Explanation: https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups

What conf file needs to be edited to set up distributed search groups?A . props.confB . search.confC . distsearch.confD . distibutedsearch.confView AnswerAnswer: C Explanation: "You can group your search peers to facilitate searching on a subset of them. Groups of search peers are known as "distributed search groups." You specify...

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?A . diskQueueSizeB . durableQueueSize C persistentOueueSizeC . queueSizeView AnswerAnswer: C Explanation: Reference: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2111/Data/Usepersistentqueues

Which of the following are reasons to create separate indexes? (Choose all that apply.)A . Different retention times.B . Increase number of users.C . Restrict user permissions.D . File organization.View AnswerAnswer: A,D Explanation: Reference: https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-have-multiple-indexes/m-p/12063