Splunk Enterprise Certified Admin Sample Questions

  1. Home
  2. Splunk Enterprise Certified Admin Sample Questions
Splunk Enterprise Certified Admin Sample Questions

The certification for Splunk Enterprise Certified Admin must be earned by passing the Splunk Enterprise Certified Admin exam. The Splunk Enterprise Certified Admin exam assesses a candidate’s knowledge and abilities to regularly maintain different Splunk components, including the installation’s state. The prerequisite for the Splunk Enterprise Certified Architect and Splunk Certified Developer certification courses is Splunk Enterprise Certified Admin.  The article provides a list of Splunk Enterprise Certified Admin Sample Questions that cover core exam topics including –

  • Splunk Admin Basics 5% 
  • License Management 5%
  • Splunk Configuration Files 5%
  • Splunk Indexes 10%
  • Splunk User Management 5%
  • Splunk Authentication Management 5%
  • Getting Data In 5%
  • Distributed Search 10%
  • Getting Data In – Staging 5%
  • Configuring Forwarders 5%
  • Forwarder Management 10%
  • Monitor Inputs 5%
  • Network and Scripted Inputs 5%
  • Agentless Inputs 5%
  • Fine-Tuning Inputs 5%
  • Parsing Phase and Data 5%
  • Manipulating Raw Data 5%

Q1) Which indexes.conf parameter enables time-based data retention control?

  • A. maxDaysToKeep
  • B. moveToFrozenAfter
  • C. maxDataRetentionTime
  • D. frozenTimePeriodInSecs

Correct Answer: frozenTimePeriodInSecs

Refer: Managing Indexers and Clusters of Indexers

Q2) Which features may the universal forwarder use to transfer data? (Select each that applies.)

  • A. Sending alerts
  • B. Compressing data
  • C. Obfuscating/hiding data
  • D. Indexer acknowledgement

Correct Answer: Indexer acknowledgement

Refer: Forwarding Data

Q3)Which Splunk setup makes use of the SEDCMD?

  • A. props.conf
  • B. inputs.conf
  • C. indexes.conf
  • D. transforms.conf

Correct Answer:  props.conf

Refer: Why SEDCMD configured in props.conf is working during Data Preview but not during SEARCH?

Q4) Which of the following setup techniques for adding inputs to a forwarder is supported? (Select each that applies.)

  • A. CLI
  • B. Edit inputs.conf
  • C. Edit forwarder.conf
  • D. Forwarder Management

Correct Answer: CLI and Edit inputs.conf

Q5)Which parent directory does Splunk’s configuration data reside in?

  • A. $SPLUNK_HOME/etc
  • B. $SPLUNK_HOME/var
  • C. $SPLUNK_HOME/conf
  • D. $SPLUNK_HOME/default

Correct Answer: $SPLUNK_HOME/etc

Refer: Configuration file directories

Q6) Which sort of forwarder can parse data before forwarding it?

  • A. Universal forwarder
  • B. Heaviest forwarder
  • C. Hyper forwarder
  • D. Heavy forwarder

Correct Answer: Heavy forwarder

Refer: Forwarding Data

Q7) Which Splunk component creates reports and aggregates the individual findings in a distributed environment?

  • A. Indexers
  • B. Forwarder
  • C. Search head
  • D. Search peers

Correct Answer:  Indexers

Refer: Managing Indexers and Clusters of Indexers

Q8) Which Splunk component updates search head cluster members’ configuration with apps and other updates?

  • A. Deployer
  • B. Cluster master
  • C. Deployment server
  • D. Search head cluster master

Correct Answer: Deployer

Q9) On the deployment server that clients pull from, where should apps be placed?

  • A. $SPLUNK_HOME/etc/apps
  • B. $SPLUNK_HOME/etc/search
  • C. $SPLUNK_HOME/etc/master-apps
  • D. $SPLUNK_HOME/etc/deployment-app

Correct Answer:  $SPLUNK_HOME/etc/apps

Refer: How to configure deployment apps to push to clients via deployment server?

Q10) When does the licence metering take place during the index time process?

  • A. Input phase
  • B. Parsing phase
  • C. Indexing phase
  • D. Licensing phase

Correct Answer:  Indexing phase

Refer: Admin Manual

Q11) While Splunk is running, you modify a props.conf file. You enter the command splunk btool props list ‘”-debug without restarting Splunk. What will be the result?

  • A. A list of all the configurations on-disk that Splunk contains.
  • B. A verbose list of all configurations as they were when splunkd started.
  • C. A list of props.conf configurations as they are on-disk along with a file path from which the configuration is located.
  • D. A list of the current running props.conf configurations along with a file path from which the configuration was made.

Correct Answer: A list of the current running props.conf configurations along with a file path from which the configuration was made.

Refer: Need help with what should be a simple precedence issue regarding props.conf and aliases.

Q12) Layered Splunk configuration files’ precedence is determined by:

  • A. Owner
  • B. Weight
  • C. Context
  • D. Creation time

Correct Answer: Context

Refer: Configuration file precedence

Q13) What is the supported technique of filtering the lists when configuring monitor inputs using whitelists or blacklists?

  • A. Slash notation
  • B. Regular expression
  • C. Irregular expression
  • D. Wildcard-only expression

Correct Answer: Regular expression

Refer: Updating Splunk Enterprise Instances

Q14) What must be done in order to add a native user to Splunk? (Select each that applies.)

  • A. Password
  • B. Username
  • C. Full Name
  • D. Default app

Correct Answer: Full Name and Default app

Refer: Add and edit users

Q15) What must be done in order to add a native user to Splunk? (Select each that applies.)

  • A. Protocol, port number
  • B. Protocol, port, location
  • C. Protocol, username, port
  • D. Protocol, IP, port number

Correct Answer: Protocol, port number

Refer: Set up and use HTTP Event Collector in Splunk Web

Q16) What must be done in order to add a native user to Splunk? (Select each that applies.)

  • A. Search head
  • B. Heavy forwarder
  • C. Heaviest forwarder
  • D. Universal forwarder

Correct Answer: Heavy forwarder

Refer: Heavy Forwarder Costs and Licenses

Q17) What must be done in order to add a native user to Splunk? (Select each that applies.)

  • A. _TCP_ROUTING
  • B. _INDEXER_LIST
  • C. _INDEXER_GROUP
  • D. _INDEXER_ROUTING

Correct Answer:  _TCP_ROUTING

Refer: Monitor files and directories with inputs.conf

Q18) What needs to be supplied in order to configure a network input in Splunk?

  • A. File path.
  • B. Username and password.
  • C. Network protocol and port number. 
  • D. Network protocol and MAC address.

Correct Answer: File path

Q19) Which Splunk forwarder type permits data processing prior to transmission to an indexer?

  • A. Universal forwarder
  • B. Parsing forwarder
  • C. Heavy forwarder
  • D. Advanced forwarder

Correct Answer: Heavy forwarder

Q20) What sentence best describes deployment management? (Select each that applies.)

  • A. Requires an Enterprise license.
  • B. Is responsible for sending apps to forwarders.
  • C. Once used, is the only way to manage forwarders.
  • D. Can automatically restart the host OS running the forwarder.

Correct Answer: Requires an Enterprise license.

Splunk Enterprise Certified Admin free practice test

Menu