SPLK-1003 시험 - Splunk실제시험문제와 답 - 60문항

Question No : 1

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

A.diskQueueSize
B.durableQueueSize C persistentOueueSize
C.queueSize

정답:
Explanation:
Reference: https://docs.splunk.com/Documentation/SplunkCloud/8.2.2111/Data/Usepersistentqueues

Question No : 2

Within props. conf, which stanzas are valid for data modification? (select all that apply)

A.Host
B.Server
C.Source
D.Sourcetype

정답:
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec
https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf
"* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts."
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

Question No : 3

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

A.index=main
B.index=test
C.index=summary
D.index=_internal

정답:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Validateyourconfiguration

Question No : 4

A log file contains 193 days worth of timestamped events .
Which monitor stanza would be used to collect data 45 days old and newer from that log file?

A.followTail = -45d
B.ignore = 45d
C.includeNewerThan = -35d
D.ignoreOlderThan = 45d

정답:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.2.1/Data/Configuretimestamprecognition

Question No : 5

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing .

Event example:

Which value would fit best?

A.MAX_TIMESTAMP_L0CKAHEAD = 5
B.MAX_TIMESTAMP_LOOKAHEAD - 10
C.MAX_TIMESTAMF_LOOKHEAD = 20
D.MAX TIMESTAMP LOOKAHEAD - 30

정답:
Explanation:
https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition "Specify how far (how many characters) into an event Splunk software should look for a timestamp." since TIME_PREFIX = ^ and timestamp is from 0-29 position, so D=30 will pick up the WHOLE timestamp correctly.

Question No : 6

When are knowledge bundles distributed to search peers?

A.After a user logs in.
B.When Splunk is restarted.
C.When adding a new search peer.
D.When a distributed search is initiated.

정답:
Explanation:
"The search head replicates the knowledge bundle periodically in the background or when initiating a search. " "As part of the distributed search process, the search head replicates and distributes its knowledge objects to its search peers, or indexers. Knowledge objects include saved searches, event types, and other entities used in searching accorss indexes. The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf."
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/Whatsearchheadssend

Question No : 7

Which of the following is a benefit of distributed search?

A.Peers run search in sequence.
B.Peers run search in parallel.
C.Resilience from indexer failure.
D.Resilience from search head failure.

정답:
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch Parallel reduce search processing If you struggle with extremely large high-cardinality searches, you might be able to apply parallel reduce processing to them to help them complete faster. You must have a distributed search environment to use parallel reduce search processing.

Question No : 8

Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678.
Which configuration file and stanza pair will mask possible SSNs in the log events?

A.props.conf [mask-SSN] REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 KEY = _raw
B.props.conf [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw
C.transforms.conf [mask-SSN] REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw
D.transforms.conf [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw

정답:
Explanation:
because transforms.conf is the right configuration file to state the regex expression. https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf
Reference: https://community.splunk.com/t5/Archive/How-to-mask-SSN-into-our-logs-going-into-Splunk/tdp/433035

Question No : 9

Which artifact is required in the request header when creating an HTTP event?

A.Token
B.Manifest
C.Host name

정답:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/FormateventsforHTTPEventCollector

Question No : 10

Which of the following types of data count against the license daily quota?

A.Replicated data
B.splunkd logs
C.Summary index data
D.Windows internal logs

정답:
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Distdeploylicenses#Clustered_deployments_and_licensing_issues ference: https://community.splunk.com/t5/Deployment-Architecture/License-usage-in-Indexer-Cluster/m-p/493548

Question No : 11

Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)

A.inputs.conf
B.monitor.conf
C.outputs.conf
D.forwarder.conf

정답:
Explanation:
https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Configuretheuniversalf orwarder
--Key configuration files are: inputs.conf controls how the forwarder collects data. outputs.conf controls how the forwarder sends data to an indexer or other forwarder server.conf for connection and performance tuning deploymentclient.conf for connecting to a deployment server
Reference: https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Configuretheuniversalforwarder

Question No : 12

How do you remove missing forwarders from the Monitoring Console?

A.By restarting Splunk.
B.By rescanning active forwarders.
C.By reloading the deployment server.
D.By rebuilding the forwarder asset table.

정답:

Question No : 13

Which of the following are supported options when configuring optional network inputs?

A.Metadata override, sender filtering options, network input queues (quantum queues)
B.Metadata override, sender filtering options, network input queues (memory/persistent queues)
C.Filename override, sender filtering options, network output queues (memory/persistent queues)
D.Metadata override, receiver filtering options, network input queues (memory/persistent queues)

정답:
Explanation:
https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question No : 14

Which of the following authentication types requires scripting in Splunk?

A.ADFS
B.LDAP
C.SAML
D.RADIUS

정답:
Explanation:
https://answers.splunk.com/answers/131127/scripted-authentication.html Scripted Authentication: An option for Splunk Enterprise authentication. You can use an authentication system that you have in place (such as PAM or RADIUS) by configuring authentication.conf to use a script instead of using LDAP or Splunk Enterprise default authentication.

Question No : 15

The CLI command splunk add forward-server indexer:<receiving-port> will create stanza(s) in which configuration file?

A.inputs.conf
B.indexes.conf
C.outputs.conf
D.servers.conf

정답:
Explanation:
The CLI command "Splunk add forward-server indexer:<receiving-port>" is used to define the indexer and the listening port on forwards. The command creates this kind of entry "[tcpout-server://<ip address>:<port>]" in the outputs.conf file. https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configureforwardingwit houtputs.conf
Reference: https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Enableareceiver

Splunk SPLK-1003 시험