Page: 1
/ 14
Total 80 questions
Splunk SPLK-1005 Splunk Cloud Certified Admin Exam Practice Test
Question 1
Li was asked to create a Splunk configuration to monitor syslog files stored on Linux servers at their organization. This configuration will be pushed out to multiple systems via a Splunk app using the on-prem deployment server.
The system administrators have provided Li with a directory listing for the logging locations on three syslog hosts, which are representative of the file structure for all systems collecting this dat
a. An example from each system is shown below:
A)
B)
C)
D)
Answer : A
The correct monitor statement that will capture all variations of the syslog file paths across different systems is [monitor:///var/log/network/syslog*/linux_secure/*].
This configuration works because:
syslog* matches directories that start with 'syslog' (like syslog01, syslog02, etc.).
The wildcard * after linux_secure/ will capture all files within that directory, including different filenames like syslog.log and syslog.log.2020090801.
This setup will ensure that all the necessary files from the different syslog hosts are monitored.
Splunk Documentation Reference: Monitor files and directories
Question 2
Which monitor statement will retrieve only files that start with "access" in the directory /opt/log/ww2/?
Answer : B
The correct monitor statement to retrieve only files that start with 'access' in the directory /opt/log/www2/ is [monitor:///opt/log/www2/access*]. This configuration specifically targets files that begin with the name 'access' and will match any such files within that directory, such as 'access.log'.
Splunk Documentation Reference: Monitor files and directories
Question 3
In what scenarios would transforms.conf be used?
Answer : B
transforms.conf is used for various advanced data processing tasks in Splunk, including:
Per-Event Sourcetype: Dynamically assigning a sourcetype based on event content.
Per-Event Host Name: Dynamically setting the host field based on event content.
Per-Event Index Routing: Directing specific events to different indexes based on their content.
Option B correctly identifies these common uses of transforms.conf.
Splunk Documentation Reference: transforms.conf - Configuration
Question 4
For the following data, what would be the correct attribute/value oair to use to successfully extract the correct timestamp from all the events?
Answer : C
The correct attribute/value pair to successfully extract the timestamp from the provided events is TIME_FORMAT = %b %d %H:%M:%S. This format corresponds to the structure of the timestamps in the provided data:
%b represents the abbreviated month name (e.g., Sep).
%d represents the day of the month.
%H:%M:%S represents the time in hours, minutes, and seconds.
This format will correctly extract timestamps like 'Sep 12 06:11:58'.
Splunk Documentation Reference: Configure Timestamp Recognition
Question 5
Which of the following app installation scenarios can be achieved without involving Splunk Support?
Answer : C
In Splunk Cloud, you can install apps via self-service, which allows you to install certain approved apps without involving Splunk Support. This self-service capability is provided for apps that have already been vetted and approved for use in the Splunk Cloud environment.
Option A typically requires support involvement because premium apps often need licensing or other special considerations.
Option B might involve the Request Install button, but some apps might still require vetting or support approval.
Option D is incorrect because apps that have not gone through the vetting process cannot be installed via self-service and would require Splunk Support for evaluation and approval.
Splunk Documentation Reference: Install apps on Splunk Cloud
Question 6
Consider the following configurations:
What is the value of the sourcetype property for this stanza based on Splunk's configuration file precedence?
Answer : C
When there are conflicting configurations in Splunk, the platform resolves them based on the configuration file precedence rules. These rules dictate which settings are applied based on the hierarchy of the configuration files.
In the provided configurations:
The first configuration in $SPLUNK_HOME/etc/apps/unix/local/inputs.conf sets the sourcetype to access_combined.
The second configuration in $SPLUNK_HOME/etc/apps/search/local/inputs.conf sets the sourcetype to linux_secure.
Configuration File Precedence:
In Splunk, configurations in local directories take precedence over those in default.
If two configurations are in local directories of different apps, the alphabetical order of the app names determines the precedence.
Since 'search' comes after 'unix' alphabetically, the configuration in $SPLUNK_HOME/etc/apps/search/local/inputs.conf will take precedence.
Therefore, the value of the sourcetype property for this stanza is linux_secure.
Splunk Documentation Reference:
Configuration File Precedence
Resolving Conflicts in Splunk Configurations
This confirms that the correct answer is C. linux_secure.
Question 7
In case of a Change Request, which of the following should submit a support case for Splunk Support?
Answer : D
In Splunk Cloud, when there is a need for a change request that might involve modifying settings, upgrading, or other actions requiring Splunk Support, the process typically requires submitting a support case.
D . Any person with the appropriate entitlement: This is the correct answer. Any individual who has the necessary permissions or entitlements within the Splunk environment can submit a support case. This includes administrators or users who have been granted the ability to engage with Splunk Support. The request does not necessarily have to come from a Certified Splunk Cloud Administrator or the infrastructure owner; rather, it can be submitted by anyone with the correct level of access.
Splunk Documentation Reference:
Submitting a Splunk Support Case
Managing User Roles and Entitlements
All Official Question Types