SPLK-1003 Online Practice Questions and Answers

Which setting in indexes. conf allows data retention to be controlled by time?

A. maxDaysToKeep

B. moveToFrozenAfter

C. maxDataRetentionTime

D. frozenTimePeriodlnSecs

Which parent directory contains the configuration files in Splunk?

A. SSFLUNK_KOME/etc

B. SSPLUNK_HCME/var

C. SSPLUNK_HOME/conf

D. SSPLUNK_HOME/default

Where should apps be located on the deployment server that the clients pull from?

A. $SFLUNK_KOME/etc/apps

B. $SPLUNK_HCME/etc/sear:ch

C. $SPLUNK_HCME/etc/master-apps

D. $SPLUNK HCME/etc/deployment-apps

Which Splunk component requires a Forwarder license?

A. Search head

B. Heavy forwarder

C. Heaviest forwarder

D. Universal forwarder

Which of the following statements describe deployment management? (select all that apply)

A. Requires an Enterprise license

B. Is responsible for sending apps to forwarders.

C. Once used, is the only way to manage forwarders

D. Can automatically restart the host OS running the forwarder.

What is the difference between the two wildcards ... and * for the monitor stanza in inputs, conf?

A. ... is not supported in monitor stanzas

B. There is no difference, they are interchangable and match anything beyond directory boundaries.

C. * matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D. ... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

A. Enable indexer acknowledgment.

B. Enable forwarder acknowledgment.

C. splunk check-integrity -index

D. index=_internal component=ACK | stats count by host

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

A. host=server1 index=unixinfo

B. host=server1 index=searchinfo

C. host=searchsvr1 index=searchinfo

D. host=unixsvr1 index=unixinfo

The LINE_BREAKER attribute is configured in which configuration file?

A. props.conf

B. indexes.conf

C. inputs.conf

D. transforms.conf

What is the command to reset the fishbucket for one source?

A. rm -r ~/splunkforwarder/var/lib/splunk/fishbucket

B. splunk clean eventdata -index _thefishbucket

C. splunk cmd btprobe -d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file --reset

D. splunk btool fishbucket reset