Splunk SPLK-1003 Splunk Enterprise Certified Admin Online Training

Splunk SPLK-1003 Online Training

The questions for SPLK-1003 were last updated at Jun 20,2025.

Exam Code: SPLK-1003
Exam Name: Splunk Enterprise Certified Admin
Certification Provider: Splunk
Latest update: Jun 20,2025

Question #41

Authentication Granted

6 Log into Splunk

Correct Answer: C

Explanation:

Using the provided DUO/Splunk reference URL https://duo.com/docs/splunk

Scroll down to the Network Diagram section and note the following 6 similar steps

1 – SPlunk connection initiated

2 – Primary authentication

3 – Splunk connection established to Duo Security over TCP port 443

4 – Secondary authentication via Duo Security’s service

5 – Splunk receives authentication response

6 – Splunk session logged in.

Question #42

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A . $SFLUNK_HOME/bin/scripts
B . $SPLUNK_HOME/etc/apps/bin
C . $SPLUNK_HOME/etc/system/bin
D . $SPLUNK_HOME/etc/apps/<your_app>/bin_

Reveal Solution Hide Solution

Correct Answer: ACD
ACD

Explanation:

"Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system:

$SPLUNK_HOME/etc/system/bin

$SPLUNK_HOME/etc/apps/<your_App>/bin

$SPLUNK_HOME/bin/scripts

As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system."

Question #43

How does the Monitoring Console monitor forwarders?

A . By pulling internal logs from forwarders.
B . By using the forwarder monitoring add-on
C . With internal logs forwarded by forwarders.
D . With internal logs forwarded by deployment server.

Reveal Solution Hide Solution

Correct Answer: C
C

Explanation:

Quoting the following Splunk URL reference

https://docs.splunk.com/Documentation/Splunk/8.2.2/DMC/DMCprerequisites "Monitoring Console setup prerequisites. Forward internal logs (both $SPLUNK_HOME/car/log/splunk and $SPLUNK_HOME/var/log/introspection) to indexers from all other components. Without this step, many dashboards will lack data."

Question #44

What options are available when creating custom roles? (select all that apply)

A . Restrict search terms
B . Whitelist search terms
C . Limit the number of concurrent search jobs
D . Allow or restrict indexes that can be searched.

Reveal Solution Hide Solution

Correct Answer: ACD
ACD

Explanation:

https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/Admin/ConcurrentLimits

"Set limits for concurrent scheduled searches. You must have the edit_search_concurrency_all and edit_search_concurrency_scheduled capabilities to configure these settings."

Question #45

Which of the following are supported options when configuring optional network inputs?

A . Metadata override, sender filtering options, network input queues (quantum queues)
B . Metadata override, sender filtering options, network input queues (memory/persistent queues)
C . Filename override, sender filtering options, network output queues (memory/persistent queues)
D . Metadata override, receiver filtering options, network input queues (memory/persistent queues)

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question #46

What is the default character encoding used by Splunk during the input phase?

A . UTF-8
B . UTF-16
C . EBCDIC
D . ISO 8859

Reveal Solution Hide Solution

Correct Answer: A
A

Explanation:

https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configurecharactersetencoding

"Configure character set encoding. Splunk software attempts to apply UTF-8 encoding to your scources by default. If a source foesn’t use UTF-8 encoding or is a non-ASCII file, Splunk software tries to convert data from the source to UTF-8 encoding unless you specify a character set to use by setting the CHARSET key in the props.conf file."

Question #47

Which of the following enables compression for universal forwarders in outputs. conf?

A)

A . Option A
B . Option B
C . Option C
D . Option D

Reveal Solution Hide Solution

Correct Answer: B
B

Explanation:

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

# Compression

#

# This example sends compressed events to the remote indexer.

# NOTE: Compression can be enabled TCP or SSL outputs only.

# The receiver input port should also have compression enabled. [tcpout]

server = splunkServer.example.com:4433

compressed = true

Question #48

User role inheritance allows what to be inherited from the parent role? (select all that apply)

A . Parents
B . Capabilities
C . Index access
D . Search history

Reveal Solution Hide Solution

Correct Answer: BC
BC

Explanation:

https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

Question #49

Which of the following statements apply to directory inputs? {select all that apply)

A . All discovered text files are consumed.
B . Compressed files are ignored by default
C . Splunk recursively traverses through the directory structure.
D . When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Reveal Solution Hide Solution

Correct Answer: AC

Question #50

How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON

A)