IT Certification Guaranteed, The Easy Way!

Exam : SPLK-1003

Title : Splunk Enterprise Certified

Admin

Vendor : Splunk

Version : V12.95

1
 IT Certification Guaranteed, The Easy Way!

NO.1 Which of the following is a benefit of distributed search?

A. Peers run search in sequence.
B. Peers run search in parallel.
C. Resilience from indexer failure.
D. Resilience from search head failure.
Answer: D

NO.2 Which Splunk forwarder type allows parsing of data before forwarding to an indexer?
A. Universal forwarder
B. Parsing forwarder
C. Heavy forwarder
D. Advanced forwarder
Answer: C

NO.3 To set up a Network input in Splunk, what needs to be specified'?

A. File path.
B. Username and password
C. Network protocol and port number.
D. Network protocol and MAC address.
Answer: C

NO.4 An organization wants to collect Windows performance data from a set of clients, however,
installing Splunk software on these clients is not allowed. What option is available to collect this data
in Splunk Enterprise?
A. Use Local Windows host monitoring.
B. Use Windows Remote Inputs with WMI.
C. Use Local Windows network monitoring.
D. Use an index with an Index Data Type of Metrics.
Answer: D

NO.5 The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To
do this, he runs the following search over the last 24 hours:
index=*
What field can the administrator check to see the data distribution?
A. host
B. index
C. linecount
D. splunk_server
Answer: D

NO.6 Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced
configurations found in props.conf to be validated all through the UI?
A. Search

2
 IT Certification Guaranteed, The Easy Way!

B. Forwarder inputs
C. Apps
D. Data preview
Answer: A

NO.7 What conf file needs to be edited to set up distributed search groups?
A. props.conf
B. search.conf
C. distsearch.conf
D. distibutedsearch.conf
Answer: C

NO.8 What is the valid option for a [monitor] stanza in inputs.conf?

A. enabled
B. datasource
C. server_name
D. ignoreOlderThan
Answer: D

NO.9 If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk

component would the fishbucket need to be reset in order to reindex the data?
A. Indexer
B. Forwarder
C. Search head
D. Deployment server
Answer: A
Explanation
Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-
p/93310

NO.10 Which of the following indexes come pre-configured with Splunk Enterprise? (select all that
apply)
A. _license
B. _lnternal
C. _external
D. _thefishbucket
Answer: B D

NO.11 Which of the following is valid distribute search group?

A)

3
 IT Certification Guaranteed, The Easy Way!

B)

C)

D)

A. option A
B. Option B
C. Option C
D. Option D
Answer: D

NO.12 Which Splunk component performs indexing and responds to search requests from the
search head?
A. Forwarder
B. Search peer
C. License master
D. Search head cluster
Answer: B

NO.13 In case of a conflict between a whitelist and a blacklist input setting, which one is used?
A. Blacklist
B. Whitelist
C. They cancel each other out.
D. Whichever is entered into the configuration first.
Answer: A
Explanation
https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdata

NO.14 An admin is running the latest version of Splunk with a 500 GB license. The current daily
volume of new data is 300 GB per day. To minimize license issues, what is the best way to add 10 TB
of historical data to the index?
A. Buy a bigger Splunk license.

4
 IT Certification Guaranteed, The Easy Way!

B. Add 2.5 TB each day for the next 5 days.

C. Add all 10 TB in a single 24 hour period.
D. Add 200 GB of historical data each day for 50 days.
Answer: B

NO.15 What is the default character encoding used by Splunk during the input phase?
A. UTF-8
B. UTF-16
C. EBCDIC
D. ISO 8859
Answer: A

NO.16 Which optional configuration setting in inputs .conf allows you to selectively forward the data
to specific indexer(s)?
A. _TCP_ROUTING
B. _INDEXER_LIST
C. _INDEXER_GROUP
D. _INDEXER ROUTING
Answer: A

NO.17 After configuring a universal forwarder to communicate with an indexer, which index can be
checked via the Splunk Web UI for a successful connection?
A. index=main
B. index=test
C. index=summary
D. index=_internal
Answer: D

NO.18 Which Splunk component requires a Forwarder license?

A. Search head
B. Heavy forwarder
C. Heaviest forwarder
D. Universal forwarder
Answer: B

NO.19 Where are deployment server apps mapped to clients?

A. Apps tab in forwarder management interface or clientapps.conf.
B. Clients tab in forwarder management interface or deploymentclient.conf.
C. Server Classes tab in forwarder management interface or serverclass.conf.
D. Client Applications tab in forwarder management interface or clientapps.conf.
Answer: C

NO.20 How would you configure your distsearch conf to allow you to run the search below?

5
 IT Certification Guaranteed, The Easy Way!

sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON A)

B)

C)

D)

6
 IT Certification Guaranteed, The Easy Way!

A. option A
B. Option B
C. Option C
D. Option D
Answer: C

NO.21 Which configuration files are used to transform raw data ingested by Splunk? (Choose all that
apply.)
A. props.conf
B. inputs.conf
C. rawdata.conf
D. transforms.conf
Answer: A

NO.22 What is the difference between the two wildcards ... and - for the monitor stanza in inputs,
conf?
A. ... is not supported in monitor stanzas
B. There is no difference, they are interchangable and match anything beyond directory boundaries.
C. * matches anything in that specific directory path segment, whereas ... recurses through
subdirectories as well.
D. ... matches anything in that specific directory path segment, whereas - recurses through
subdirectories as well.
Answer: C

NO.23 When does a warm bucket roll over to a cold bucket?

A. When Splunk is restarted.
B. When the maximum warm bucket age has been reached.
C. When the maximum warm bucket size has been reached.
D. When the maximum number of warm buckets is reached.
Answer: D

NO.24 Which Splunk component distributes apps and certain other configuration updates to search

7
 IT Certification Guaranteed, The Easy Way!

head cluster members?

A. Deployer
B. Cluster master
C. Deployment server
D. Search head cluster master
Answer: A

NO.25 Which of the following statements describe deployment management? (select all that apply)
A. Requires an Enterprise license
B. Is responsible for sending apps to forwarders.
C. Once used, is the only way to manage forwarders
D. Can automatically restart the host OS running the forwarder.
Answer: A

NO.26 How does the Monitoring Console monitor forwarders?

A. By pulling internal logs from forwarders.
B. By using the forwarder monitoring add-on
C. With internal logs forwarded by forwarders.
D. With internal logs forwarded by deployment server.
Answer: C

NO.27 What options are available when creating custom roles? (select all that apply)
A. Restrict search terms
B. Whitelist search terms
C. Limit the number of concurrent search jobs
D. Allow or restrict indexes that can be searched.
Answer: A C D

NO.28 What is the correct order of steps in Duo Multifactor Authentication?

A. 1 Request Login
2. Connect to SAML server
3 Duo MFA
4 Create User session
5 Authentication Granted 6. Log into Splunk
B. 1. Request Login 2 Duo MFA
3. Authentication Granted 4 Connect to SAML server
5. Log into Splunk
6. Create User session
C. 1 Request Login
2 Check authentication / group mapping
3 Authentication Granted
4. Duo MFA
5. Create User session
6. Log into Splunk

8
 IT Certification Guaranteed, The Easy Way!

D. 1 Request Login 2 Duo MFA

3. Check authentication / group mapping
4 Create User session
5. Authentication Granted
6 Log into Splunk
Answer: C

NO.29 In a distributed environment, which Splunk component is used to distribute apps and
configurations to the other Splunk instances?
A. Indexer
B. Deployer
C. Forwarder
D. Deployment server
Answer: D

NO.30 Which additional component is required for a search head cluster?

A. Deployer
B. Cluster Master
C. Monitoring Console
D. Management Console
Answer: A

NO.31 Which valid bucket types are searchable? (select all that apply)
A. Hot buckets
B. Cold buckets
C. Warm buckets
D. Frozen buckets
Answer: A B C

NO.32 After how many warnings within a rolling 30-day period will a license violation occur with an
enforced Enterprise license?
A. 1
B. 3
C. 4
D. 5
Answer: D

NO.33 How is data handled by Splunk during the input phase of the data ingestion process?
A. Data is broken up into events.
B. Data is initially written to disk.
C. Data is measured by the license meter.
D. Data is treated as streams.
Answer: B

9
 IT Certification Guaranteed, The Easy Way!

NO.34 Where can scripts for scripted inputs reside on the host file system? (select all that apply)
A. $SFLUNK_HOME/bin/scripts
B. $SPLUNK_HOME/etc/apps/bin
C. $SPLUNK_HOME/etc/system/bin
D. $S?LUNK_HOME/etc/apps/<your_app>/bin_
Answer: A C D

NO.35 Which of the following are supported configuration methods to add inputs on a forwarder?
(select all that apply)
A. CLI
B. Edit inputs . conf
C. Edit forwarder.conf
D. Forwarder Management
Answer: A B D

NO.36 Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced
configurations found in props.conf to be validated all through the UI?
A. Apps
B. Search
C. Data preview
D. Forwarder inputs
Answer: B

NO.37 Which Splunk indexer operating system platform is supported when sending logs from a
Windows universal forwarder?
A. Any OS platform
B. Linux platform only
C. Windows platform only.
D. None of the above.
Answer: A

NO.38 When deploying apps, which attribute in the forwarder management interface determines
the apps that clients install?
A. App Class
B. Client Class
C. Server Class
D. Forwarder Class
Answer: C

NO.39 What are the minimum required settings when creating a network input in Splunk?
A. Protocol, port number
B. Protocol, port, location

10
 IT Certification Guaranteed, The Easy Way!

C. Protocol, username, port

D. Protocol, IP. port number
Answer: A

NO.40 During search time, which directory of configuration files has the highest precedence?
A. $SFLUNK_KOME/etc/system/local
B. $SPLUNK_KCME/etc/system/default
C. $SPLUNK_HCME/etc/apps/app1/local
D. $SPLUNK HCME/etc/users/admin/local
Answer: D

NO.41 The universal forwarder has which capabilities when sending data? (select all that apply)
A. Sending alerts
B. Compressing data
C. Obfuscating/hiding data
D. Indexer acknowledgement
Answer: B D
Explanation
https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdat
a

NO.42 Which of the following authentication types requires scripting in Splunk?

A. ADFS
B. LDAP
C. SAML
D. RADIUS
Answer: D

NO.43 Who provides the Application Secret, Integration, and Secret keys, as well as the API
Hostname when setting up Duo for Multi-Factor Authentication in Splunk Enterprise?
A. Duo Administrator
B. LDAP Administrator
C. SAML Administrator
D. Trio Administrator
Answer: A

NO.44 Which option accurately describes the purpose of the HTTP Event Collector (HEC)?
A. A token-based HTTP input that is secure and scalable and that requires the use of forwarders
B. A token-based HTTP input that is secure and scalable and that does not require the use of
forwarders.
C. An agent-based HTTP input that is secure and scalable and that does not require the use of
forwarders.
D. A token-based HTTP input that is insecure and non-scalable and that does not require the use of

11
 IT Certification Guaranteed, The Easy Way!

forwarders.
Answer: B

NO.45 You update a props. conf file while Splunk is running. You do not restart Splunk and you run
this command:
splunk btoo1 props list -debug. What will the output be?
A. list of all the configurations on-disk that Splunk contains.
B. A verbose list of all configurations as they were when splunkd started.
C. A list of props. conf configurations as they are on-disk along with a file path from which the
configuration is located
D. A list of the current running props, conf configurations along with a file path from which the
configuration was made
Answer: C

NO.46 Which Splunk component consolidates the individual results and prepares reports in a
distributed environment?
A. Indexers
B. Forwarder
C. Search head
D. Search peers
Answer: C

NO.47 Where should apps be located on the deployment server that the clients pull from?
A. $SFLUNK_KOME/etc/apps
B. $SPLUNK_HCME/etc/sear:ch
C. $SPLUNK_HCME/etc/master-apps
D. $SPLUNK HCME/etc/deployment-apps
Answer: D

NO.48 User role inheritance allows what to be inherited from the parent role? (select all that apply)
A. Parents
B. Capabilities
C. Index access
D. Search history
Answer: B C

NO.49 Which feature of Splunk's role configuration can be used to aggregate multiple roles intended
for groups of users?
A. Linked roles
B. Grantable roles
C. Role federation
D. Role inheritance
Answer: D

12
 IT Certification Guaranteed, The Easy Way!

NO.50 In which scenario would a Splunk Administrator want to enable data integrity check when
creating an index?
A. To ensure that hot buckets are still open for writes and have not been forced to roll to a cold state
B. To ensure that configuration files have not been tampered with for auditing and/or legal purposes
C. To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
D. To ensure that data has not been tampered with for auditing and/or legal purposes
Answer: D

NO.51 Which authentication methods are natively supported within Splunk Enterprise? (select all
that apply)
A. LDAP
B. SAML
C. RADIUS
D. Duo Multifactor Authentication
Answer: A D

NO.52 How do you remove missing forwarders from the Monitoring Console?
A. By restarting Splunk.
B. By rescanning active forwarders.
C. By reloading the deployment server.
D. By rebuilding the forwarder asset table.
Answer: D

NO.53 Which option on the Add Data menu is most useful for testing data ingestion without creating
inputs.conf?
A. Upload option
B. Forward option
C. Monitor option
D. Download option
Answer: C

NO.54 Which of the following must be done to define user permissions when integrating Splunk with
LDAP?
A. Map Users
B. Map Groups
C. Map LDAP Inheritance
D. Map LDAP to Active Directory
Answer: B

NO.55 Within props. conf, which stanzas are valid for data modification? (select all that apply)
A. Host
B. Server

13
 IT Certification Guaranteed, The Easy Way!

C. Source
D. Sourcetype
Answer: A C D

NO.56 What type of data is counted against the Enterprise license at a fixed 150 bytes per event?
A. License data
B. Metricsdata
C. Internal Splunk data
D. Internal Windows logs
Answer: B

NO.57 In which phase of the index time process does the license metering occur?
A. input phase
B. Parsing phase
C. Indexing phase
D. Licensing phase
Answer: C

NO.58 This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and
deploys the same app with a new

Which file is now monitored?

A. /var/log/messages
B. /var/log/maillog
C. /var/log/maillog and /var/log/messages
D. none of the above
Answer: B

NO.59 Which parent directory contains the configuration files in Splunk?

A. SSFLUNK_KOME/etc
B. SSPLUNK_HCME/var
C. SSPLUNK_HOME/conf

14
 IT Certification Guaranteed, The Easy Way!

D. SSPLUNK_HOME/default
Answer: A

NO.60 Which of the following enables compression for universal forwarders in outputs. conf ?
A)

B)

C)

D)

A. Option A
B. Option B
C. Option C
D. Option D
Answer: B

NO.61 Which configuration file would be used to forward the Splunk internal logs from a search
head to the indexer?
A. props.conf
B. inputs.conf
C. outputs.conf
D. collections.conf
Answer: C

NO.62 In which phase do indexed extractions in props.conf occur?

A. Inputs phase
B. Parsing phase
C. Indexing phase
D. Searching phase
Answer: B

NO.63 Which of the following apply to how distributed search works? (select all that apply)
A. The search head dispatches searches to the peers

15
 IT Certification Guaranteed, The Easy Way!

B. The search peers pull the data from the forwarders.

C. Peers run searches in parallel and return their portion of results.
D. The search head consolidates the individual results and prepares reports
Answer: A C D

NO.64 What are the required stanza attributes when configuring the transforms. conf to manipulate
or remove events?
A. REGEX, DEST. FORMAT
B. REGEX. SRC_KEY, FORMAT
C. REGEX, DEST_KEY, FORMAT
D. REGEX, DEST_KEY FORMATTING
Answer: C

NO.65 Where are license files stored?

A. $SPLUNK_HOME/etc/secure
B. $SPLUNK_HOME/etc/system
C. $SPLUNK_HOME/etc/licenses
D. $SPLUNK_HOME/etc/apps/licenses
Answer: C

NO.66 Which of the following statements describes how distributed search works?
A. Forwarders pull data from the search peers.
B. Search heads store a portion of the searchable data.
C. The search head dispatches searches to the search peers.
D. Search results are replicated within the indexer cluster.
Answer: D

NO.67 The volume of data from collecting log files from 50 Linux servers and 200 Windows servers
will require multiple indexers. Following best practices, which types of Splunk component instances
are needed?
A. Indexers, search head, universal forwarders, license master
B. Indexers, search head, deployment server, universal forwarders
C. Indexers, search head, deployment server, license master, universal forwarder
D. Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder
Answer: B

NO.68 Which of the following are required when defining an index in indexes. conf? (select all that
apply)
A. coldPath
B. homePath
C. frozenPath
D. thawedPath
Answer: A B D

16
 IT Certification Guaranteed, The Easy Way!

NO.69 Which layers are involved in Splunk configuration file layering? (select all that apply)
A. App context
B. User context
C. Global context
D. Forwarder context
Answer: A B

NO.70 The CLI command splunk add forward-server indexer:<receiving-port> will create stanza(s) in
which configuration file?
A. inputs.conf
B. indexes.conf
C. outputs.conf
D. servers.conf
Answer: A

NO.71 Which of the following are methods for adding inputs in Splunk? (select all that apply)
A. CLI
B. Splunk Web
C. Editing inputs. conf
D. Editing monitor. conf
Answer: A B C

NO.72 How is data handled by Splunk during the input phase of the data ingestion process?
A. Data is treated as streams.
B. Data is broken up into events.
C. Data is initially written to disk.
D. Data is measured by the license meter.
Answer: C

NO.73 Which of the following is the use case for the deployment server feature of Splunk?
A. Managing distributed workloads in a Splunk environment.
B. Automating upgrades of Splunk forwarder installations on endpoints.
C. Orchestrating the operations and scale of a containerized Splunk deployment.
D. Updating configuration and distributing apps to processing components, primarily forwarders.
Answer: D

NO.74 Which setting in indexes. conf allows data retention to be controlled by time?
A. maxDaysToKeep
B. moveToFrozenAfter
C. maxDataRetentionTime
D. frozenTimePeriodlnSecs
Answer: D

17
 IT Certification Guaranteed, The Easy Way!

Explanation
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setaretirementandarchivingpolicy

NO.75 How can native authentication be disabled in Splunk?

A. Remove the $SPLUNK_HOME/etc/passwd file
B. Create an empty $SPLUNK_HOME/etc/passwd file
C. Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf
D. Set nativeAuthentication=false in authentication.conf
Answer: A

NO.76 When running the command shown below, what is the default path in which deployment
server. conf is created?
splunk set deploy-poll deployServer:port
A. SFLUNK_HOME/etc/deployment
B. SPLUNK_HOME/etc/system/local
C. SPLUNK_HOME/etc/system/default
D. SPLUNK_KOME/etc/apps/deployment
Answer: B

NO.77 Social Security Numbers (PII) data is found in log events, which is against company policy. SSN
format is as follows: 123-44-5678.
Which configuration file and stanza pair will mask possible SSNs in the log events?
A. props.conf
[mask-SSN]
REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
KEY = _raw
B. props.conf
[mask-SSN]
REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
DEST_KEY = _raw
C. transforms.conf
[mask-SSN]
REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
DEST_KEY = _raw
D. transforms.conf
[mask-SSN]
REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
DEST_KEY = _raw
Answer: B

NO.78 Which Splunk component does a search head primarily communicate with?

18
 IT Certification Guaranteed, The Easy Way!

A. Indexer
B. Forwarder
C. Cluster master
D. Deployment server
Answer: A

NO.79 Which forwarder type can parse data prior to forwarding?

A. Universal forwarder
B. Heaviest forwarder
C. Hyper forwarder
D. Heavy forwarder
Answer: D

NO.80 Which of the following statements apply to directory inputs? {select all that apply)
A. All discovered text files are consumed.
B. Compressed files are ignored by default
C. Splunk recursively traverses through the directory structure.
D. When adding new log files to a monitored directory, the forwarder must be restarted to take
them into account.
Answer: A C

NO.81 What is required when adding a native user to Splunk? (select all that apply)
A. Password
B. Username
C. Full Name
D. Default app
Answer: A B

NO.82 When are knowledge bundles distributed to search peers?

A. After a user logs in.
B. When Splunk is restarted.
C. When adding a new search peer.
D. When a distributed search is initiated.
Answer: D

NO.83 In which Splunk configuration is the SEDCMD used?

A. props, conf
B. inputs.conf
C. indexes.conf
D. transforms.conf
Answer: A
Explanation
https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-

19
 IT Certification Guaranteed, The Easy Way!

partysystemsd

NO.84 Which of the following statements accurately describes using SSL to secure the feed from a
forwarder?
A. It does not encrypt the certificate password.
B. SSL automatically compresses the feed by default.
C. It requires that the forwarder be set to compressed=true.
D. It requires that the receiver be set to compression=true.
Answer: A

NO.85 When configuring monitor inputs with whitelists or blacklists, what is the supported method
of filtering the lists?
A. Slash notation
B. Regular expression
C. Irregular expression
D. Wildcard-only expression
Answer: B

NO.86 How is a remote monitor input distributed to forwarders?

A. As an app.
B. As a forward.conf file.
C. As a monitor.conf file.
D. As a forwarder monitor profile.
Answer: A

NO.87 The priority of layered Splunk configuration files depends on the file's:
A. Owner
B. Weight
C. Context
D. Creation time
Answer: C

NO.88 When configuring HTTP Event Collector (HEC) input, how would one ensure the events have
been indexed?
A. Enable indexer acknowledgment.
B. Enable forwarder acknowledgment.
C. splunk check-integrity -index <index name>
D. index=_internal component=ACK | stats count by host
Answer: A
Explanation
Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

NO.89 Which Splunk configuration file is used to enable data integrity checking?

20
 IT Certification Guaranteed, The Easy Way!

A. props.conf
B. global.conf
C. indexes.conf
D. data_integrity.conf
Answer: C

NO.90 Local user accounts created in Splunk store passwords in which file?
A. $ SFLUNK_KOME/etc/passwd
B. $ SFLUNK_KCME/etc/authentication
C. $ S?LUNK_HCME/etc/users/passwd.conf
D. $ SPLUNK HCME/etc/users/authentication.conf
Answer: A

NO.91 In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit
best?

Event example:

A. MAX_TIMESTAMP_L0CKAHEAD = 5
B. MAX_TIMESTAMP_LOOKAHEAD - 10
C. MAX_TIMESTAMF_LOOKHEAD = 20
D. MAX TIMESTAMP LOOKAHEAD - 30
Answer: D

NO.92 What hardware attribute would need to be changed to increase the number of simultaneous
searches (ad-hoc and scheduled) on a single search head?
A. Disk
B. CPUs
C. Memory
D. Network interface cards
Answer: B

NO.93 How often does Splunk recheck the LDAP server?

A. Every 5 minutes
B. Each time a user logs in
C. Each time Splunk is restarted
D. Varies based on LDAP_refresh setting.
Answer: B

21
 IT Certification Guaranteed, The Easy Way!

NO.94 Which is a valid stanza for a network input?

A. [udp://172.16.10.1:9997]
connection = dns
sourcetype = dns
B. [any://172.16.10.1:10001]
connection_host = ip
sourcetype = web
C. [tcp://172.16.10.1:9997]
connection_host = web
sourcetype = web
D. [tcp://172.16.10.1:10001]
connection_host = dns
sourcetype = dns
Answer: C

NO.95 On the deployment server, administrators can map clients to server classes using client
filters. Which of the following statements is accurate?
A. The blacklist takes precedence over the whitelist.
B. The whitelist takes precedence over the blacklist.
C. Wildcards are not supported in any client filters.
D. Machine type filters are applied before the whitelist and blacklist.
Answer: A

NO.96 Which of the following are supported options when configuring optional network inputs?
A. Metadata override, sender filtering options, network input queues (quantum queues)
B. Metadata override, sender filtering options, network input queues (memory/persistent queues)
C. Filename override, sender filtering options, network output queues (memory/persistent queues)
D. Metadata override, receiver filtering options, network input queues (memory/persistent queues)
Answer: B

NO.97 Assume a file is being monitored and the data was incorrectly indexed to an exclusive index.
The index is cleaned and now the data must be reindexed. What other index must be cleaned to
reset the input checkpoint information for that file?
A. _audit
B. _checkpoint
C. _introspection
D. _thefishbucket
Answer: A

NO.98 Which of the following are available input methods when adding a file input in Splunk Web?
(Choose all that apply.)
A. Index once.
B. Monitor interval.

22
 IT Certification Guaranteed, The Easy Way!

C. On-demand monitor.
D. Continuously monitor.
Answer: D

NO.99 Which of the following configuration files are used with a universal forwarder? (Choose all
that apply.)
A. inputs.conf
B. monitor.conf
C. outputs.conf
D. forwarder.conf
Answer: A C

NO.100 For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what
value?
A. True
B. False
C. <regex string>
D. Newline Character
Answer: B

23