Splunk SPLK-1005 Exam Practice Test Instant Access

Question 1

Given the following set of files, which of the monitor stanzas below will result in Splunk monitoring all of the files ending with .log?

Files:

/var/log/www1/secure.log

/var/log/www1/access.log

/var/log/www2/logs/secure.log

/var/log/www2/access.log

/var/log/www2/access.log.1

A[monitor:///var/log/*/*.log]

B[monitor:///var/log/.../*.log]

C[monitor:///var/log/*/*]

D[monitor:///var/log/.../*]

Answer : B

The ellipsis (...) in [monitor:///var/log/.../*.log] allows Splunk to monitor files ending in .log in all nested directories under /var/log/. [Reference: Splunk Docs on monitor stanza syntax]

Question 2

What information is identified during the input phase of the ingestion process?

ALine breaking and timestamp.

BA hash of the message payload.

CMetadata fields like sourcetype and host.

DSRC and DST IP addresses and ports.

Answer : C

During the input phase, Splunk assigns metadata fields such as sourcetype, host, and source, which are critical for data categorization and routing. [Reference: Splunk Docs on data ingestion stages]

Question 3

Which of the following would always require raising a support ticket?

ACapacity or configuration changes in Splunk Cloud.

BSearch does not return expected results in Splunk Cloud.

CA user is unable to log into Splunk Cloud.

DData is not indexed in Splunk Cloud.

Answer : A

Any modifications in capacity or configurations within Splunk Cloud require an official support ticket, as they are managed by Splunk Cloud support teams to ensure consistent and secure changes. [Reference: Splunk Docs on Splunk Cloud support requests]

Question 4

Which configuration shown is used to enable a forwarder as a deployment client of the server 10.1.2.3?

A[target-broker:deploymentServer] targetUri = 10.1.2.3:9997

B[target-broker:deploymentserver] targetUri = 10.1.2.3:8089

C[target-broker:deploymentserver] deploymentserver = 10.1.2.3:9997

D[target-broker:deploymentserver] deploymentserver = 10.1.2.3:8089

Answer : B

For setting up a deployment client, the correct stanza syntax in inputs.conf includes specifying targetUri with the port 8089, which is the management port for Splunk instances, not the data port 9997. [Reference: Splunk Docs on deployment server configurations]

Question 5

A customer has worked with their LDAP administrator to configure an LDAP strategy in Splunk. The configuration works, and user Mia can log into Splunk using her LDAP Account. After some time, the Splunk Cloud administrator needs to move Mia from the user role to the power role. How should they accomplish this?

AAsk the LDAP administrator to move Mia's account to an appropriately mapped LDAP group.

BHave Mia log into Splunk, then update her own role in user settings.

CCreate a role named Power in Splunk, then map Mia's account to that role.

DUse the Cloud Monitoring Console app as an administrator to map Mia's account to the power role.

Answer : A

In Splunk Cloud, role-based access controls are managed by mapping LDAP groups to Splunk roles. Therefore, any change in roles should be managed by the LDAP administrator, who can adjust Mia's group to an LDAP group mapped to the power role. [Reference: Splunk Docs on LDAP integration in Splunk Cloud]

Question 6

For the following data, what would be the correct attribute/value oair to use to successfully extract the correct timestamp from all the events?

ATIMK_FORMAT = %b %d %H:%M:%S %z

BDATETIME CONFIG = %Y-%m-%d %H:%M:%S %2

CTIME_FORMAT = %b %d %H:%M:%S

DDATETIKE CONFIG = Sb %d %H:%M:%S

Answer : C

The correct attribute/value pair to successfully extract the timestamp from the provided events is TIME_FORMAT = %b %d %H:%M:%S. This format corresponds to the structure of the timestamps in the provided data:

%b represents the abbreviated month name (e.g., Sep).

%d represents the day of the month.

%H:%M:%S represents the time in hours, minutes, and seconds.

This format will correctly extract timestamps like 'Sep 12 06:11:58'.

Splunk Documentation Reference: Configure Timestamp Recognition

Question 7

Which of the following app installation scenarios can be achieved without involving Splunk Support?

ADeploy premium apps.

BInstall apps via the Request Install button.

CInstall apps via self-service.

DInstall apps that have not gone through the vetting process.

Answer : C

In Splunk Cloud, you can install apps via self-service, which allows you to install certain approved apps without involving Splunk Support. This self-service capability is provided for apps that have already been vetted and approved for use in the Splunk Cloud environment.

Option A typically requires support involvement because premium apps often need licensing or other special considerations.

Option B might involve the Request Install button, but some apps might still require vetting or support approval.

Option D is incorrect because apps that have not gone through the vetting process cannot be installed via self-service and would require Splunk Support for evaluation and approval.

Splunk Documentation Reference: Install apps on Splunk Cloud

Splunk SPLK-1005 Splunk Cloud Certified Admin Exam Practice Test