Splunk Enterprise Certified Admin Sample Questions
The certification for Splunk Enterprise Certified Admin must be earned by passing the Splunk Enterprise Certified Admin exam. The Splunk Enterprise Certified Admin exam assesses a candidate’s knowledge and abilities to regularly maintain different Splunk components, including the installation’s state. The prerequisite for the Splunk Enterprise Certified Architect and Splunk Certified Developer certification courses is Splunk Enterprise Certified Admin. The article provides a list of Splunk Enterprise Certified Admin Sample Questions that cover core exam topics including –
- Splunk Admin Basics 5%
- License Management 5%
- Splunk Configuration Files 5%
- Splunk Indexes 10%
- Splunk User Management 5%
- Splunk Authentication Management 5%
- Getting Data In 5%
- Distributed Search 10%
- Getting Data In – Staging 5%
- Configuring Forwarders 5%
- Forwarder Management 10%
- Monitor Inputs 5%
- Network and Scripted Inputs 5%
- Agentless Inputs 5%
- Fine-Tuning Inputs 5%
- Parsing Phase and Data 5%
- Manipulating Raw Data 5%
Q1) Which indexes.conf parameter enables time-based data retention control?
- A. maxDaysToKeep
- B. moveToFrozenAfter
- C. maxDataRetentionTime
- D. frozenTimePeriodInSecs
Correct Answer: frozenTimePeriodInSecs
Refer: Managing Indexers and Clusters of Indexers
Q2) Which features may the universal forwarder use to transfer data? (Select each that applies.)
- A. Sending alerts
- B. Compressing data
- C. Obfuscating/hiding data
- D. Indexer acknowledgement
Correct Answer: Indexer acknowledgement
Refer: Forwarding Data
Q3)Which Splunk setup makes use of the SEDCMD?
- A. props.conf
- B. inputs.conf
- C. indexes.conf
- D. transforms.conf
Correct Answer: props.conf
Refer: Why SEDCMD configured in props.conf is working during Data Preview but not during SEARCH?
Q4) Which of the following setup techniques for adding inputs to a forwarder is supported? (Select each that applies.)
- A. CLI
- B. Edit inputs.conf
- C. Edit forwarder.conf
- D. Forwarder Management
Correct Answer: CLI and Edit inputs.conf
Q5)Which parent directory does Splunk’s configuration data reside in?
- A. $SPLUNK_HOME/etc
- B. $SPLUNK_HOME/var
- C. $SPLUNK_HOME/conf
- D. $SPLUNK_HOME/default
Correct Answer: $SPLUNK_HOME/etc
Refer: Configuration file directories
Q6) Which sort of forwarder can parse data before forwarding it?
- A. Universal forwarder
- B. Heaviest forwarder
- C. Hyper forwarder
- D. Heavy forwarder
Correct Answer: Heavy forwarder
Refer: Forwarding Data
Q7) Which Splunk component creates reports and aggregates the individual findings in a distributed environment?
- A. Indexers
- B. Forwarder
- C. Search head
- D. Search peers
Correct Answer: Indexers
Refer: Managing Indexers and Clusters of Indexers
Q8) Which Splunk component updates search head cluster members’ configuration with apps and other updates?
- A. Deployer
- B. Cluster master
- C. Deployment server
- D. Search head cluster master
Correct Answer: Deployer
Q9) On the deployment server that clients pull from, where should apps be placed?
- A. $SPLUNK_HOME/etc/apps
- B. $SPLUNK_HOME/etc/search
- C. $SPLUNK_HOME/etc/master-apps
- D. $SPLUNK_HOME/etc/deployment-app
Correct Answer: $SPLUNK_HOME/etc/apps
Refer: How to configure deployment apps to push to clients via deployment server?
Q10) When does the licence metering take place during the index time process?
- A. Input phase
- B. Parsing phase
- C. Indexing phase
- D. Licensing phase
Correct Answer: Indexing phase
Refer: Admin Manual
Q11) While Splunk is running, you modify a props.conf file. You enter the command splunk btool props list ‘”-debug without restarting Splunk. What will be the result?
- A. A list of all the configurations on-disk that Splunk contains.
- B. A verbose list of all configurations as they were when splunkd started.
- C. A list of props.conf configurations as they are on-disk along with a file path from which the configuration is located.
- D. A list of the current running props.conf configurations along with a file path from which the configuration was made.
Correct Answer: A list of the current running props.conf configurations along with a file path from which the configuration was made.
Refer: Need help with what should be a simple precedence issue regarding props.conf and aliases.
Q12) Layered Splunk configuration files’ precedence is determined by:
- A. Owner
- B. Weight
- C. Context
- D. Creation time
Correct Answer: Context
Refer: Configuration file precedence
Q13) What is the supported technique of filtering the lists when configuring monitor inputs using whitelists or blacklists?
- A. Slash notation
- B. Regular expression
- C. Irregular expression
- D. Wildcard-only expression
Correct Answer: Regular expression
Refer: Updating Splunk Enterprise Instances
Q14) What must be done in order to add a native user to Splunk? (Select each that applies.)
- A. Password
- B. Username
- C. Full Name
- D. Default app
Correct Answer: Full Name and Default app
Refer: Add and edit users
Q15) What must be done in order to add a native user to Splunk? (Select each that applies.)
- A. Protocol, port number
- B. Protocol, port, location
- C. Protocol, username, port
- D. Protocol, IP, port number
Correct Answer: Protocol, port number
Refer: Set up and use HTTP Event Collector in Splunk Web
Q16) What must be done in order to add a native user to Splunk? (Select each that applies.)
- A. Search head
- B. Heavy forwarder
- C. Heaviest forwarder
- D. Universal forwarder
Correct Answer: Heavy forwarder
Refer: Heavy Forwarder Costs and Licenses
Q17) What must be done in order to add a native user to Splunk? (Select each that applies.)
- A. _TCP_ROUTING
- B. _INDEXER_LIST
- C. _INDEXER_GROUP
- D. _INDEXER_ROUTING
Correct Answer: _TCP_ROUTING
Refer: Monitor files and directories with inputs.conf
Q18) What needs to be supplied in order to configure a network input in Splunk?
- A. File path.
- B. Username and password.
- C. Network protocol and port number.
- D. Network protocol and MAC address.
Correct Answer: File path
Q19) Which Splunk forwarder type permits data processing prior to transmission to an indexer?
- A. Universal forwarder
- B. Parsing forwarder
- C. Heavy forwarder
- D. Advanced forwarder
Correct Answer: Heavy forwarder
Q20) What sentence best describes deployment management? (Select each that applies.)
- A. Requires an Enterprise license.
- B. Is responsible for sending apps to forwarders.
- C. Once used, is the only way to manage forwarders.
- D. Can automatically restart the host OS running the forwarder.
Correct Answer: Requires an Enterprise license.