• ホーム
  • ブログ
  • [2024年更新]SPLK-1003はSplunk Enterprise Certified Adminリアルな無料試験練習テスト [Q11-Q31]

[2024年更新]SPLK-1003はSplunk Enterprise Certified Adminリアルな無料試験練習テスト [Q11-Q31]

Share

[2024年更新]SPLK-1003はSplunk Enterprise Certified Adminリアルな無料試験練習テスト

無料Splunk Enterprise Certified Admin SPLK-1003試験問題を提供します

質問 # 11
Which parent directory contains the configuration files in Splunk?

  • A. SSPLUNK_HOME/default
  • B. SSFLUNK_KOME/etc
  • C. SSPLUNK_HCME/var
  • D. SSPLUNK_HOME/conf

正解:B


質問 # 12
In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?

  • A. services/ collector
  • B. data/ collector
  • C. services/ inputs ? raw
  • D. services/ data/ collector

正解:D

解説:
Explanation
The answer to your question is C. services/data/collector. This is the endpoint URI used to collect data in a customer managed Splunk Enterprise environment.According to the Splunk documentation1, "The HTTP Event Collector REST API endpoint is /services/data/collector.You can use this endpoint to send events to HTTP Event Collector on a Splunk Enterprise or Splunk Cloud Platform deployment." You can also use this endpoint to send events to a specific token or index1. For example, you can use thefollowing curl command to send an event with the token 578254cc-05f5-46b5-957b-910d1400341a and the index main:
curl -k https://localhost:8088/services/data/collector -H'Authorization: Splunk
578254cc-05f5-46b5-957b-910d1400341a'-d'{"index":"main","event":"Hello, world!"}'


質問 # 13
The following stanzas in inputs. conf are currently being used by a deployment client:
[udp: //145.175.118.177:1001
Connection_host = dns
sourcetype = syslog
Which of the following statements is true of data that is received via this input?

  • A. The host value associated with data received will be the IP address that sent the data.
  • B. If Splunk is restarted, data will be queued and then sent when Splunk has restarted.
  • C. If Splunk is restarted, data may be lost.
  • D. Local firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

正解:C

解説:
This is because the input type is UDP, which is an unreliable protocol that does not guarantee delivery, order, or integrity of the data packets. UDP does not have any mechanism to resend or acknowledge the data packets, so if Splunk is restarted, any data that was in transit or in the buffer may be dropped and not indexed.


質問 # 14
How is data handled by Splunk during the input phase of the data ingestion process?

  • A. Data is treated as streams.
  • B. Data is initially written to disk.
  • C. Data is broken up into events.
  • D. Data is measured by the license meter.

正解:B


質問 # 15
Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

  • A. Linux platform only.
  • B. Any OS platform.
  • C. Windows platform only.
  • D. None of the above.

正解:D

解説:
Explanation/Reference:
https://docs.splunk.com/Documentation/Splunk/7.3.2/Installation/Systemrequirements#Supported_OSes


質問 # 16
What are the minimum required settings when creating a network input in Splunk?

  • A. Protocol, username, port
  • B. Protocol, IP. port number
  • C. Protocol, port, location
  • D. Protocol, port number

正解:D


質問 # 17
All search-time field extractions should be specified on which Splunk component?

  • A. Universal forwarder
  • B. Search head
  • C. Deployment server
  • D. Indexer

正解:B

解説:
Explanation
Search-time field extractions are the process of extracting fields from events after they are indexed.
Search-time field extractions are specified on the search head, which is the Splunk component that handles searching and reporting. Search-time field extractions are configured in props.conf and transforms.conf files, which are located in the etc/system/local directory on the search head. Therefore, option D is the correct answer. References: Splunk Enterprise Certified Admin | Splunk, [About fields - Splunk Documentation]


質問 # 18
Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

  • A. LDAP
  • B. Duo Multifactor Authentication
  • C. RADIUS
  • D. SAML

正解:A、B


質問 # 19
Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678.
Which configuration file and stanza pair will mask possible SSNs in the log events?

  • A. props.conf
    [mask-SSN]
    REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
    FORMAT = $1<SSN>###-##-$2
    DEST_KEY = _raw
  • B. props.conf
    [mask-SSN]
    REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
    FORMAT = $1<SSN>###-##-$2
    KEY = _raw
  • C. transforms.conf
    [mask-SSN]
    REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
    FORMAT = $1<SSN>###-##-$2
    DEST_KEY = _raw
  • D. transforms.conf
    [mask-SSN]
    REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
    FORMAT = $1<SSN>###-##-$2
    DEST_KEY = _raw

正解:C

解説:
because transforms.conf is the right configuration file to state the regex expression. https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf Reference:
433035


質問 # 20
Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint information for that file?

  • A. _checkpoint
  • B. _introspection
  • C. _audit
  • D. _thefishbucket

正解:D

解説:
--reset Reset the fishbucket for the given key or file in the btree. Resetting the checkpoint for an active monitor input reindexes data, resulting in increased license use. https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/CommandlinetoolsforusewithSupport


質問 # 21
An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the index?

  • A. Add 200 GB of historical data each day for 50 days.
  • B. Add all 10 TB in a single 24 hour period.
  • C. Buy a bigger Splunk license.
  • D. Add 2.5 TB each day for the next 5 days.

正解:B

解説:
https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations
"An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate."


質問 # 22
Running this search in a distributed environment:

On what Splunk component does the eval command get executed?

  • A. Universal Forwarders
  • B. Search peers
  • C. Heavy Forwarders
  • D. Search heads

正解:B

解説:
Explanation
The eval command is a distributable streaming command, which means that it can run on the search peers in a distributed environment1. The search peers are the indexers that store the data and perform the initial steps of the search processing2. The eval command calculates an expression and puts the resulting value into a search results field1. In your search, you are using the eval command to create a new field called "responsible_team" based on the values in the "account" field.


質問 # 23
Which of the following describes a Splunk deployment server?

  • A. A Splunk app installed on a Splunk Enterprise server.
  • B. A Splunk Enterprise server that distributes apps.
  • C. A Splunk Forwarder that deploys data to multiple indexers.
  • D. A server that automates the deployment of Splunk Enterprise to remote servers.

正解:B

解説:
A Splunk deployment server is a system that distributes apps, configurations, and other assets to groups of Splunk Enterprise instances. You can use it to distribute updates to most types of Splunk Enterprise components: forwarders, non-clustered indexers, and search heads2.
A Splunk deployment server is available on every full Splunk Enterprise instance. To use it, you must activate it by placing at least one app into %SPLUNK_HOME%\etc\deployment-apps on the host you want to act as deployment server3.
A Splunk deployment server maintains the list of server classes and uses those server classes to determine what content to distribute to each client. A server class is a group of deployment clients that share one or more defined characteristics1.
A Splunk deployment client is a Splunk instance remotely configured by a deployment server. Deployment clients can be universal forwarders, heavy forwarders, indexers, or search heads. Each deployment client belongs to one or more server classes1.
A Splunk deployment app is a set of content (including configuration files) maintained on the deployment server and deployed as a unit to clients of a server class. A deployment app can be an existing Splunk Enterprise app or one developed solely to group some content for deployment purposes1.
Therefore, option C is correct, and the other options are incorrect.


質問 # 24
Which valid bucket types are searchable? (select all that apply)

  • A. Frozen buckets
  • B. Hot buckets
  • C. Warm buckets
  • D. Cold buckets

正解:C


質問 # 25
In case of a conflict between a whitelist and a blacklist input setting, which one is used?

  • A. Whitelist
  • B. Blacklist
  • C. Whichever is entered into the configuration first.
  • D. They cancel each other out.

正解:B

解説:
Explanation
https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdata
"It is not necessary to define both an allow list and a deny list in a configuration stanza. The settings are independent. If you do define both filters and a file matches them both, Splunk Enterprise does not index that file, as the blacklist filter overrides the whitelist filter." Source:https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Whitelistorblacklistspecificincomingdata


質問 # 26
An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

  • A. frozendb
  • B. db
  • C. colddb
  • D. bucketdb

正解:A、C


質問 # 27
When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

  • A. The app local directories move to second in the priority list.
  • B. The system default directory' becomes the highest priority.
  • C. The peer-apps local directory becomes the highest priority.
  • D. Nothing changes.

正解:A

解説:
The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:
In a clustered environment, the precedence of configuration files changes slightly from that of a standalone deployment. The app local directories move to second in the priority list, after the peer-apps local directory. This means that any configuration files in the app local directories on the individual peers are overridden by configuration files of the same name and type in the peer-apps local directory on the master node.


質問 # 28
Which of the following are methods for adding inputs in Splunk? (select all that apply)

  • A. Editing monitor. conf
  • B. CLI
  • C. Splunk Web
  • D. Editing inputs. conf

正解:B、C、D


質問 # 29
Which file will be matched for the following monitor stanza in inputs. conf?

  • A. [monitor: ///var/log/*/bar/*. txt]
  • B. /var/log/host_460352847/bar/foo.txt
  • C. /var/log/host_460352847/temp/bar/file/csv/foo.txt
  • D. /var/log/host_460352847/bar/file/foo.txt
  • E. /var/ log/ host_460352847/temp/bar/file/foo.txt

正解:B

解説:
The correct answer is C. /var/log/host_460352847/bar/file/foo.txt.
The monitor stanza in inputs.conf is used to configure Splunk to monitor files and directories for new data. The monitor stanza has the following syntax1:
[monitor://<input path>]
The input path can be a file or a directory, and it can include wildcards (*) and regular expressions. The wildcards match any number of characters, including none, while the regular expressions match patterns of characters. The input path is case-sensitive and must be enclosed in double quotes if it contains spaces1.
In this case, the input path is /var/log//bar/.txt, which means Splunk will monitor any file with the .txt extension that is located in a subdirectory named bar under the /var/log directory. The subdirectory bar can be at any level under the /var/log directory, and the * wildcard will match any characters before or after the bar and .txt parts1.
Therefore, the file /var/log/host_460352847/bar/file/foo.txt will be matched by the monitor stanza, as it meets the criteria. The other files will not be matched, because:
A) /var/log/host_460352847/temp/bar/file/csv/foo.txt has a .csv extension, not a .txt extension.
B) /var/log/host_460352847/bar/foo.txt is not located in a subdirectory under the bar directory, but directly in the bar directory.
D) /var/log/host_460352847/temp/bar/file/foo.txt is located in a subdirectory named file under the bar directory, not directly in the bar directory.


質問 # 30
In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

  • A. 14MB
  • B. 28MB
  • C. 21MB
  • D. 7MB

正解:C


質問 # 31
......

Splunk SPLK-1003リアルな問題と知能問題集:https://www.goshiken.com/Splunk/SPLK-1003-mondaishu.html

SPLK-1003問題集でSplunk Enterprise Certified Admin高確率練習問題集:https://drive.google.com/open?id=1TPTcEtR0SzpM7L0Jdg8j88WrqzF68Pzl

関するブログ

もっと
SPLK-1003無料問題集