New Year Special Sale - Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: mxmas70

Home > Splunk > Splunk Certification > SPLK-1005

SPLK-1005 Splunk Cloud Certified Admin Question and Answers

Question # 4

How are HTTP Event Collector (HEC) tokens configured in a managed Splunk Cloud environment?

A.

Any token will be accepted by HEC, the data may just end up in the wrong index.

B.

A token is generated when configuring a HEC input, which should be provided to the application developers.

C.

Obtain a token from the organization's application developers and apply it in Settings > Data Inputs > HTTP Event Collector > New Token.

D.

Open a support case for each new data input and a token will be provided.

Full Access
Question # 5

A Splunk Cloud administrator is looking to allow a new group of Splunk users in the marketing department to access the Splunk environment and view a dashboard with relevant data. These users need to access marketing data (stored in the marketing_data index), but shouldn't be able to access other data, such as events related to security or operations.

Which approach would be the best way to accomplish these requirements?

A.

Create a new user with access to the marketing_data index assigned.

B.

Create a new role that inherits the user role and remove the capability to search indexes other than marketing_data.

C.

Create a new role that inherits the admin rote and assign access to the marketing_dat.a index.

D.

Create a new role that does not inherit from any other role, turn on the same capabilities as the user role, and assign access to the marketing_data index.

Full Access
Question # 6

A log file is being ingested into Splunk, and a few events have no date stamp. How would Splunk first try to determine the missing date of the events?

A.

Splunk will take the date of a previous event within the log file.

B.

Splunk will use the current system time of the Indexer for the date.

C.

Splunk will use the date of when the file monitor was created.

D.

Splunk will take the date from the file modification time.

Full Access
Question # 7

What two files are used in the data transformation process?

A.

parsing.conf and transforms.conf

B.

props.conf and transforms.conf

C.

transforms.conf and fields.conf

D.

transforms.conf and sourcetypes.conf

Full Access
Question # 8

What information is identified during the input phase of the ingestion process?

A.

Line breaking and timestamp.

B.

A hash of the message payload.

C.

Metadata fields like sourcetype and host.

D.

SRC and DST IP addresses and ports.

Full Access
Question # 9

Windows Input types are collected in Splunk via a script which is configurable using the GUI. What is this type of input called?

A.

Batch

B.

Scripted

C.

Modular

D.

Front-end

Full Access
Question # 10

When creating a new index, which of the following is true about archiving expired events?

A.

Store expired events in private AWS-based storage.

B.

Expired events cannot be archived.

C.

Archive some expired events from an index and discard others.

D.

Store expired events on-prem using your own storage systems.

Full Access
Question # 11

By default, which of the following capabilities are granted to the sc_admin role?

A.

indexes_edit, edit___token, admin_all_objects, delete_by_keyword

B.

indexes_edit, fsh_manage, acs_conf, list_indexesdiscovert

C.

indexes_edit, fsh_manage, admin_all_objects can_delete

D.

indexes_edit, edit_token_http, admin _all objects, edit limits_conf

Full Access
Question # 12

Which of the following is an accurate statement about the delete command?

A.

The delete command removes events from disk.

B.

By default, only admins can run the delete command.

C.

Events are virtually deleted by marking them as deleted.

D.

Deleting events reclaims disk space.

Full Access
Question # 13

Li was asked to create a Splunk configuration to monitor syslog files stored on Linux servers at their organization. This configuration will be pushed out to multiple systems via a Splunk app using the on-prem deployment server.

The system administrators have provided Li with a directory listing for the logging locations on three syslog hosts, which are representative of the file structure for all systems collecting this data. An example from each system is shown below:

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 14

In what scenarios would transforms.conf be used?

A.

Per-Event Index Routing, Applying Event Types, SEOCMD operations

B.

Per-Event Sourcetype, Per-Event Host Name, Per-Event Index Routing

C.

Per-Event Host Name, Per-Event Index Rooting, SEDCMD operations

D.

Per-Event Sourcetype, Per-Event Index Routing, Applying Event Types

Full Access
Question # 15

When is data deleted from a Splunk Cloud index?

A.

When buckets roll to frozen, without a defined archive.

B.

When data is deleted via the Splunk Cloud Admin GUI.

C.

When TA_Delete is downloaded and enabled from SplunkBase.

D.

When the daleteindex command is executed from the CLI.

Full Access
Question # 16

In which file can the SH0ULD_LINEMERCE setting be modified?

A.

transforms.conf

B.

inputs.conf

C.

props.conf

D.

outputs.conf

Full Access
Question # 17

Which of the following is a valid method to test if a forwarder can successfully send data to Splunk Cloud?

A.

Search the _audit index to confirm whether the forwarder ID was registered.

B.

Use oneshot from the CLI on the forwarders, then check to see if those logs show up in the Splunk Cloud environment.

C.

On Splunk Cloud UI, click Add Data and upload a test file, then search to see if the logs show up.

D.

Ping the inputssl.example.splunkcloud.com to see if it returns the ping.

Full Access
Question # 18

When using Splunk Universal Forwarders, which of the following is true?

A.

No more than six Universal Forwarders may connect directly to Splunk Cloud.

B.

Any number of Universal Forwarders may connect directly to Splunk Cloud.

C.

Universal Forwarders must send data to an Intermediate Forwarder.

D.

There must be one Intermediate Forwarder for every three Universal Forwarders.

Full Access
Question # 19

What is the name of the Splunk index that contains the most valuable information for troubleshooting a Splunk issue?

A.

_internal

B.

lastchanceindex

C.

_monitoring

D.

defaultdb

Full Access
Question # 20

Which of the following is a valid stanza in props. conf?

A.

[sourcetype::linux_secure]

B.

[host=nyc25]

C.

[host::nyc*]

D.

[host:nyc*]

Full Access
Question # 21

When should Splunk Cloud Support be contacted?

A.

For scripted input troubleshooting.

B.

For all configuration changes.

C.

When unable to resolve issues or perform problem isolation.

D.

For resizing, license changes, or any purchases.

Full Access
Question # 22

What is the default port for sending data via HTTP Event Collector to Splunk Cloud?

A.

443

B.

8088

C.

9997

D.

8000

Full Access
Question # 23

In which of the following situations should Splunk Support be contacted?

A.

When a custom search needs tuning due to not performing as expected.

B.

When an app on Splunkbase indicates Request Install.

C.

Before using the delete command.

D.

When a new role that mirrors sc_admin is required.

Full Access
Question # 24

Which of the following tasks is not managed by the Splunk Cloud administrator?

A.

Forwarding events to Splunk Cloud.

B.

Upgrading the indexer's Splunk software.

C.

Managing knowledge objects.

D.

Creating users and roles.

Full Access