©JOSHCLAY 2024/2025. YEAR PUBLISHED 2024.
Splunk Certified Admin Dump Exam
Questions and Answers 100% Solved
Within props.conf, which stanzas are valid for data modification? (select all
that apply)
A. Host
B. Server
C. Source
D. Sourcetype - ✔✔ANSWER: ACD
The universal forwarder has which capabilities when sending data?
A. Sending alerts
B. Compressing Data
C. Obfuscating/hiding data
D. Indexer acknowledgement - ✔✔ANSWER: BD
When running the command show below, what is the default path in which
deployment server.conf is created?
,©JOSHCLAY 2024/2025. YEAR PUBLISHED 2024.
splunk set deploy-poll deployServer:port
A. SPLUNK_HOME/etc/deployment
B. SPLUNK_HOME/etc/system/local
C. SPLUNK_HOME/etc/system/default
D. SPLUNK_HOME/etc/apps/deployment - ✔✔ANSWER: B
What type of data is counted against the Enterprise license at a fixed 150
bytes per event?
A. License data
B. Metrics data
C. Internal Splunk data
D. Internal Windows logs - ✔✔ANSWER: B
In case of a conflict between a whitelist and a blacklist input settings, which
one is used?
A. Blacklist
B. Whitelist
C. They cancel each other out
, ©JOSHCLAY 2024/2025. YEAR PUBLISHED 2024.
D. Whichever is entered into the configuration first - ✔✔ANSWER: A
Where are license files stored?
A. $SPLUNK_HOME/etc/secure
B. $SPLUNK_HOME/etc system
C. $SPLUNK_HOME/etc/licenses
D. $SPLUNK_HOME/etc/apps/licenses - ✔✔ANSWER: C
In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing.
Which value would fit best?
[sshd_syslog]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
SHOULD_LINEMERGE = false
TRUNCATE = 0
A. MAX_TIMESTAMP_LOCKAHEAD = 5
B. MAX_TIMESTAMP_LOOKAHEAD - 10
C. MAX_TIMESTAMP_LOOKHEAD = 20
Splunk Certified Admin Dump Exam
Questions and Answers 100% Solved
Within props.conf, which stanzas are valid for data modification? (select all
that apply)
A. Host
B. Server
C. Source
D. Sourcetype - ✔✔ANSWER: ACD
The universal forwarder has which capabilities when sending data?
A. Sending alerts
B. Compressing Data
C. Obfuscating/hiding data
D. Indexer acknowledgement - ✔✔ANSWER: BD
When running the command show below, what is the default path in which
deployment server.conf is created?
,©JOSHCLAY 2024/2025. YEAR PUBLISHED 2024.
splunk set deploy-poll deployServer:port
A. SPLUNK_HOME/etc/deployment
B. SPLUNK_HOME/etc/system/local
C. SPLUNK_HOME/etc/system/default
D. SPLUNK_HOME/etc/apps/deployment - ✔✔ANSWER: B
What type of data is counted against the Enterprise license at a fixed 150
bytes per event?
A. License data
B. Metrics data
C. Internal Splunk data
D. Internal Windows logs - ✔✔ANSWER: B
In case of a conflict between a whitelist and a blacklist input settings, which
one is used?
A. Blacklist
B. Whitelist
C. They cancel each other out
, ©JOSHCLAY 2024/2025. YEAR PUBLISHED 2024.
D. Whichever is entered into the configuration first - ✔✔ANSWER: A
Where are license files stored?
A. $SPLUNK_HOME/etc/secure
B. $SPLUNK_HOME/etc system
C. $SPLUNK_HOME/etc/licenses
D. $SPLUNK_HOME/etc/apps/licenses - ✔✔ANSWER: C
In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing.
Which value would fit best?
[sshd_syslog]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
SHOULD_LINEMERGE = false
TRUNCATE = 0
A. MAX_TIMESTAMP_LOCKAHEAD = 5
B. MAX_TIMESTAMP_LOOKAHEAD - 10
C. MAX_TIMESTAMP_LOOKHEAD = 20
