• ホーム
  • ブログ
  • SPLK-1003 PDF問題集リアル2023最近更新された問題 [Q64-Q87]

SPLK-1003 PDF問題集リアル2023最近更新された問題 [Q64-Q87]

Share

SPLK-1003 PDF問題集リアル2023最近更新された問題

リリースSplunk SPLK-1003更新された問題PDF

質問 # 64
What is the correct curl to send multiple events through HTTP Event Collector?

  • A. Option D
  • B. Option C
  • C. Option B
  • D. Option A

正解:C

解説:
Explanation
curl "https://mysplunkserver.example.com:8088/services/collector" \ -H "Authorization: Splunk DF4S7ZE4-3GS1-8SFS-E777-0284GG91PF67" \ -d '{"event": "Hello World"}, {"event": "Hola Mundo"},
{"event": "Hallo Welt"}'. This is the correct curl command to send multiple events through HTTP Event Collector (HEC), which is a token-based API that allows you to send data to Splunk Enterprise from any application that can make an HTTP request. The command has the following components:
* The URL of the HEC endpoint, which consists of the protocol (https), the hostname or IP address of the Splunk server (mysplunkserver.example.com), the port number (8088), and the service name (services/collector).
* The header that contains the authorization token, which is a unique identifier that grants access to the HEC endpoint. The token is prefixed with Splunk and enclosed in quotation marks. The token value (DF4S7ZE4-3GS1-8SFS-E777-0284GG91PF67) is an example and should be replaced with your own token value.
* The data payload that contains the events to be sent, which are JSON objects enclosed in curly braces and separated by commas. Each event object has a mandatory field called event, which contains the raw data to be indexed. The event value can be a string, a number, a boolean, an array, or another JSON object. In this case, the event values are strings that say hello in different languages.


質問 # 65
What is the correct order of steps in Duo Multifactor Authentication?

  • A. 1. Request Login 2 Duo MFA
    3. Authentication Granted 4 Connect to SAML server
    5. Log into Splunk
    6. Create User session
  • B. 1 Request Login
    2 Check authentication / group mapping
    3 Authentication Granted
    4. Duo MFA
    5. Create User session
    6. Log into Splunk
  • C. 1 Request Login 2 Duo MFA
    3. Check authentication / group mapping
    4 Create User session
    5. Authentication Granted
    6 Log into Splunk
  • D. 1 Request Login
    2. Connect to SAML server
    3 Duo MFA
    4 Create User session
    5 Authentication Granted 6. Log into Splunk

正解:C


質問 # 66
Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)

  • A. monitor.conf
  • B. inputs.conf
  • C. forwarder.conf
  • D. outputs.conf

正解:B、D

解説:
https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Configuretheuniversalforwarder
--Key configuration files are: inputs.conf controls how the forwarder collects data. outputs.conf controls how the forwarder sends data to an indexer or other forwarder server.conf for connection and performance tuning deploymentclient.conf for connecting to a deployment server Reference:
Configuretheuniversalforwarder


質問 # 67
Which Splunk component would one use to perform line breaking prior to indexing?

  • A. Universal Forwarder
  • B. Search head
  • C. Heavy Forwarder
  • D. This can only be done at the indexing layer.

正解:C

解説:
Explanation
According to the Splunk documentation1, a heavy forwarder is a Splunk Enterprise instance that can parse and filter data before forwarding it to an indexer. A heavy forwarder can perform line breaking, which is the process of splitting incoming data into individual events based on a set of rules2. A heavy forwarder can also apply other transformations to the data, such as field extractions, event type matching, or masking sensitive data3.


質問 # 68
Which of the following are supported configuration methods to add inputs on a forwarder? (Choose all that apply.)

  • A. Edit inputs.conf
  • B. CLI
  • C. Edit forwarder.conf
  • D. Forwarder Management

正解:A、B

解説:
Explanation/Reference:
https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/HowtoforwarddatatoSplunkEnterprise#Define_inputs_on_the_universal_forwarder_with_configuration_files


質問 # 69
Which of the following types of data count against the license daily quota?

  • A. Summary index data
  • B. Replicated data
  • C. Windows internal logs
  • D. splunkd logs

正解:C

解説:
Explanation
https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Distdeploylicenses#Clustered_deployments_and_li


質問 # 70
Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678.
Which configuration file and stanza pair will mask possible SSNs in the log events?

  • A. transforms.conf
    [mask-SSN]
    REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
    FORMAT = $1<SSN>###-##-$2
    DEST_KEY = _raw
  • B. props.conf
    [mask-SSN]
    REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
    FORMAT = $1<SSN>###-##-$2
    KEY = _raw
  • C. props.conf
    [mask-SSN]
    REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
    FORMAT = $1<SSN>###-##-$2
    DEST_KEY = _raw
  • D. transforms.conf
    [mask-SSN]
    REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
    FORMAT = $1<SSN>###-##-$2
    DEST_KEY = _raw

正解:D

解説:
because transforms.conf is the right configuration file to state the regex expression. https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf Reference:
433035


質問 # 71
What is the correct example to redact a plain-text password from raw events?

  • A. in props.conf:
    [identity]
    SEDCMD-redact_pw= s/password=([^,|/s]+)/ ####REACTED####/g
  • B. in props.conf:
    [identity]
    REGEX-redact_pw =s/password=([^,|/s]+)/ ####REACTED####/g
  • C. in transforms.conf:
    [identity]
    SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g
  • D. in transforms.conf:
    [identity]
    REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

正解:A

解説:
Explanation
The correct answer is B. in props.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g
According to the Splunk documentation1, to redact sensitive data from raw events, you need to use the SEDCMD attribute in the props.conf file. The SEDCMD attribute applies a sed expression to the raw data before indexing. The sed expression can use the s command to replace a pattern with a substitution string. For example, the following sed expression replaces any occurrence of password= followed by any characters until a comma, whitespace, or slash with ####REACTED####:
s/password=([^,|/s]+)/ ####REACTED####/g
The g flag at the end means that the replacement is applied globally, not just to the first match.
Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.
Option C is incorrect because it uses the transforms.conf file instead of the props.conf file. The transforms.conf file is used to define transformations that can be applied to fields or events, such as lookups, evaluations, or replacements. However, these transformations are applied after indexing, not before.
Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.
References:1:Redact data from events - Splunk Documentation


質問 # 72
After how many warnings within a rolling 30-day period will a license violation occur with an enforced Enterprise license?

  • A. 0
  • B. 1
  • C. 2
  • D. 3

正解:A

解説:
https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations
"Enterprise Trial license. If you get five or more warnings in a rolling 30 days period, you are in violation of your license. Dev/Test license. If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. Developer license. If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. BUT for Free license. If you get three or more warnings in a rolling 30 days period, you are in violation of your license."


質問 # 73
A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the Universal Forwarder to send data to the indexers?

  • A. Create one outputs . conf file for each of the server addresses in the indexing tier.
  • B. Splunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.
  • C. Configure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.
  • D. Set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

正解:D

解説:
Set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. This is explained in the Splunk documentation1, which states:
To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:
[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997
The forwarder then distributes data across all of the indexers in the list.


質問 # 74
Which of the following are reasons to create separate indexes? (Choose all that apply.)

  • A. Increase number of users.
  • B. File organization.
  • C. Restrict user permissions.
  • D. Different retention times.

正解:C、D


質問 # 75
Which forwarder type can parse data prior to forwarding?

  • A. Heavy forwarder
  • B. Heaviest forwarder
  • C. Hyper forwarder
  • D. Universal forwarder

正解:A

解説:
Explanation/Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Forwarding/Typesofforwarders


質問 # 76
If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component would the fishbucket need to be reset in order to reindex the data?

  • A. Deployment server
  • B. Forwarder
  • C. Indexer
  • D. Search head

正解:C

解説:
Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-p/93310


質問 # 77
Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of users?

  • A. Role federation
  • B. Linked roles
  • C. Role inheritance
  • D. Grantable roles

正解:C

解説:
You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles


質問 # 78
On the deployment server, administrators can map clients to server classes using client filters. Which of the following statements is accurate?

  • A. The blacklist takes precedence over the whitelist.
  • B. Wildcards are not supported in any client filters.
  • C. The whitelist takes precedence over the blacklist.
  • D. Machine type filters are applied before the whitelist and blacklist.

正解:A


質問 # 79
Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

  • A. rawdata.conf
  • B. props.conf
  • C. inputs.conf
  • D. transforms.conf

正解:B

解説:
Explanation
Explanation/Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Configuretimestamprecognition


質問 # 80
When does a warm bucket roll over to a cold bucket?

  • A. When the maximum warm bucket age has been reached.
  • B. When the maximum warm bucket size has been reached.
  • C. When the maximum number of warm buckets is reached.
  • D. When Splunk is restarted.

正解:C

解説:
Explanation
https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes Once further conditions are met (for example, the index reaches some maximum number of warm buckets), the indexer begins to roll the warm buckets to cold, based on their age. It always selects the oldest warm bucket to roll to cold. Buckets continue to roll to cold as they age in this manner. Cold buckets reside in a different location from hot and warm buckets. You can configure the location so that cold buckets reside on cheaper storage.


質問 # 81
Within props. conf, which stanzas are valid for data modification? (select all that apply)

  • A. Server
  • B. Host
  • C. Source
  • D. Sourcetype

正解:D


質問 # 82
Which of the following enables compression for universal forwarders in outputs. conf ?

  • A.
  • B.
  • C.
  • D.

正解:D

解説:
Explanation
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf
# Compression
#
# This example sends compressed events to the remote indexer.
# NOTE: Compression can be enabled TCP or SSL outputs only.
# The receiver input port should also have compression enabled.
[tcpout]
server = splunkServer.example.com:4433
compressed = true


質問 # 83
A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

  • A. ignore = 45d
  • B. followTail = -45d
  • C. includeNewerThan = -35d
  • D. ignoreOlderThan = 45d

正解:D


質問 # 84
What is required when adding a native user to Splunk? (select all that apply)

  • A. Default app
  • B. Full Name
  • C. Password
  • D. Username

正解:C、D


質問 # 85
Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

  • A. _external
  • B. _thefishbucket
  • C. _lnternal
  • D. _license

正解:B、C


質問 # 86
What is the command to reset the fishbucket for one source?

  • A. splunk cmd btprobe -d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file <source> --reset
  • B. splunk clean eventdata -index _thefishbucket
  • C. splunk btool fishbucket reset <source>
  • D. rm -r ~/splunkforwarder/var/lib/splunk/fishbucket

正解:A


質問 # 87
......

SPLK-1003問題集と練習テスト(181試験問題):https://www.goshiken.com/Splunk/SPLK-1003-mondaishu.html

ガイド(2023年最新)実際のSplunk SPLK-1003試験問題:https://drive.google.com/open?id=1TPTcEtR0SzpM7L0Jdg8j88WrqzF68Pzl

関するブログ

もっと
SPLK-1003無料問題集