Free Splunk SPLK-1003 Practice Exam with Questions & Answers | Set: 5

To verify the integrity of a local bucket. The command ./splunk check-integrity -bucketPath [bucket path] [-verbose] is used to verify the integrity of a local bucket by comparing the hashes stored in the l1Hashes and l2Hash files with the actual data in the bucket1. This command can help detect any tampering or corruption of the data.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

When Splunk is integrated with LDAP, most of the user attributes are managed by the LDAP server and cannot be changed in the Splunk UI. However, one exception is the default app attribute, which specifies which app a user sees when they log in to Splunk. This attribute can be changed in the Splunk UI by editing the user settings. Therefore, option A is the correct answer. References: Splunk Enterprise Certified Admin | Splunk, [Configure Splunk to use LDAP and map groups - Splunk Documentation]

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf

"* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts."https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Per the provided Splunk reference URL by @hwangho, scroll to section Forward search head data, subsection titled, 2. Configure the search head as a forwarder. "Create an outputs.conf file on the search head that configures the search head for load-balanced forwarding across the set of search peers (indexers)."

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

# Compression

#

# This example sends compressed events to the remote indexer.

# NOTE: Compression can be enabled TCP or SSL outputs only.

# The receiver input port should also have compression enabled.

[tcpout]

server = splunkServer.example.com:4433

compressed = true

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

"The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings."

"The report does not necessarily represent what's loaded in memory. If a conf file change is made that requires a service restart, the btool report shows the change even though that change isn't active."

The serverclass.conf file controls how deployment apps and configurations are distributed from the Deployment Server to its Deployment Clients. Within this configuration, attribute values can be defined at multiple levels, and Splunk applies them based on a defined order of precedence — from general to most specific.

The correct order of evaluation (lowest to highest precedence) is:

[global] — applies to all server classes and clients unless overridden.

[serverClass:<name>] — applies to all clients in that specific server class.

[serverClass:<name>:app:<appname>] — applies only to a specific app within that server class and overrides previous settings.

This means that values set in the [serverClass::app:<appname>] stanza take priority over those in [serverClass:], which in turn override values in [global].

Example (from serverclass.conf):

[global]

whitelist.0 = *

[serverClass:web_servers]

whitelist.0 = web01*

blacklist.0 = test*

[serverClass:web_servers:app:web_monitoring]

restartSplunkWeb = true

Here, restartSplunkWeb = true in the app stanza overrides any inherited setting from the global or class level.

Reference (Splunk Documentation):

Splunk® Enterprise Admin Manual → Deploy configurations using deployment server

serverclass.conf.spec and example → “Precedence of attributes: global < serverClass: < serverClass::app:<appname>”

Splunk Docs: “How the deployment server works”

When using a directory monitor input, specific source types can be selectively overridden using the props.conf file. According to the Splunk documentation1, “You can specify a source type for data based on its input and source. Specify source type for an input. You can assign the source type for data coming from a specific input, such as /var/log/. If you use Splunk Cloud Platform, use Splunk Web to define source types. If you use Splunk Enterprise, define source types in Splunk Web or by editing the inputs.conf configuration file.” However, this method is not very granular and assigns the same source type to all data from an input. To override the source type on a per-event basis, you need to use the props.conf file and the transforms.conf file2. The props.conf file contains settings that determine how the Splunk platform processes incoming data, such as how to segment events, extract fields, and assign source types2. The transforms.conf file contains settings that modify or filter event dataduring indexing or search time2. You can use these files to create rules that match specific patterns in the event data and assign different source types accordingly2. For example, you can create a rule that assigns a source type of apache_error to any event that contains the word “error” in the first line2.