SPLK-1003 SPLUNK CERTIFIED ADMIN EXAM QUESTIONS
WITH COMPLETE SOLUTIONS
For single line event sourcetypes, it is most efficient to set SHOULD_LINEMERGE to
what value?
A. True
B. False
C. <regex string>
D. Newline Character -- Correct Answer ✔✔ B. False
Which Splunk component does a search head primarily communicate with?
A. Indexer
B. Forwarder
C. Cluster master
D. Deployment server -- Correct Answer ✔✔ A. Indexer
Which layers are involved in Splunk configuration file layering? (Choose all that apply.)
,A. App context
B. User context
C. Global context
D. Forwarder context -- Correct Answer ✔✔ A B C
Which of the following are methods for adding inputs in Splunk? (Choose all that apply.)
A. CLI
B. Splunk Web
C. Editing inpits.conf
D. Editing monitor.conf -- Correct Answer ✔✔ A,B,C (assuming its a typo, inputs.conf).
Which of the following authentication types requires scripting in Splunk?
A. ADFS
B. LDAP
C. SAML
D. RADIUS -- Correct Answer ✔✔ D. RADIUS
Which option accurately describes the purpose of the HTTP Event Collector (HEC)?
,A. A token-based HTTP input that is secure and scalable and that requires the use of
forwarders.
B. A token-based HTTP input that is secure and scalable and that does not require the
use of forwarders.
C. An agent-based HTTP input that is secure and scalable and that does not require the
use of forwarders.
D. A token-based HTTP input that is insecure and non-scalable and that does not
require the use of forwarders. -- Correct Answer ✔✔ B. A token-based HTTP input
that is secure and scalable and that does not require the use of forwarders.
What is the difference between the two wildcards ... and * for the monitor stanza in
inputs.conf?
A. ... is not supported in monitor stanzas.
B. There is no difference, they are interchangeable and match anything beyond directory
boundaries.
C. * matches anything in that specific directory path segment, whereas ... recurses
through subdirectories as well.
D. ... matches anything in that specific directory path segment, whereas * recurses
through subdirectories as well. -- Correct Answer ✔✔ C. * matches anything in that
specific directory path segment, whereas ... recurses through subdirectories as well.
, What type of data is counted against the Enterprise license at a fixed 150 bytes per
event?
A. License data
B. Metrics data
C. Internal Splunk data
D. Internal Windows logs -- Correct Answer ✔✔ B. Metrics data
Which valid bucket types are searchable? (Choose all that apply.)
A. Hot buckets
B. Cold buckets
C. Warm buckets
D. Frozen buckets -- Correct Answer ✔✔ A B C
How do you remove missing forwarders from the Monitoring Console?
A. By restarting Splunk.
B. By rescanning active forwarders.
C. By reloading the deployment server.
D. By rebuilding the forwarder asset table. -- Correct Answer ✔✔ D. By rebuilding the
forwarder asset table.
WITH COMPLETE SOLUTIONS
For single line event sourcetypes, it is most efficient to set SHOULD_LINEMERGE to
what value?
A. True
B. False
C. <regex string>
D. Newline Character -- Correct Answer ✔✔ B. False
Which Splunk component does a search head primarily communicate with?
A. Indexer
B. Forwarder
C. Cluster master
D. Deployment server -- Correct Answer ✔✔ A. Indexer
Which layers are involved in Splunk configuration file layering? (Choose all that apply.)
,A. App context
B. User context
C. Global context
D. Forwarder context -- Correct Answer ✔✔ A B C
Which of the following are methods for adding inputs in Splunk? (Choose all that apply.)
A. CLI
B. Splunk Web
C. Editing inpits.conf
D. Editing monitor.conf -- Correct Answer ✔✔ A,B,C (assuming its a typo, inputs.conf).
Which of the following authentication types requires scripting in Splunk?
A. ADFS
B. LDAP
C. SAML
D. RADIUS -- Correct Answer ✔✔ D. RADIUS
Which option accurately describes the purpose of the HTTP Event Collector (HEC)?
,A. A token-based HTTP input that is secure and scalable and that requires the use of
forwarders.
B. A token-based HTTP input that is secure and scalable and that does not require the
use of forwarders.
C. An agent-based HTTP input that is secure and scalable and that does not require the
use of forwarders.
D. A token-based HTTP input that is insecure and non-scalable and that does not
require the use of forwarders. -- Correct Answer ✔✔ B. A token-based HTTP input
that is secure and scalable and that does not require the use of forwarders.
What is the difference between the two wildcards ... and * for the monitor stanza in
inputs.conf?
A. ... is not supported in monitor stanzas.
B. There is no difference, they are interchangeable and match anything beyond directory
boundaries.
C. * matches anything in that specific directory path segment, whereas ... recurses
through subdirectories as well.
D. ... matches anything in that specific directory path segment, whereas * recurses
through subdirectories as well. -- Correct Answer ✔✔ C. * matches anything in that
specific directory path segment, whereas ... recurses through subdirectories as well.
, What type of data is counted against the Enterprise license at a fixed 150 bytes per
event?
A. License data
B. Metrics data
C. Internal Splunk data
D. Internal Windows logs -- Correct Answer ✔✔ B. Metrics data
Which valid bucket types are searchable? (Choose all that apply.)
A. Hot buckets
B. Cold buckets
C. Warm buckets
D. Frozen buckets -- Correct Answer ✔✔ A B C
How do you remove missing forwarders from the Monitoring Console?
A. By restarting Splunk.
B. By rescanning active forwarders.
C. By reloading the deployment server.
D. By rebuilding the forwarder asset table. -- Correct Answer ✔✔ D. By rebuilding the
forwarder asset table.
