Amazon
Avaya
Cisco
CompTIA
CrowdStrike
EC-Council
EXIN
Fortinet
Google
ISC
ISC2
ITIL
Juniper
Microsoft
NVIDIA
Okta
Palo Alto Networks
Salesforce
All Vendors
  1. Home
  2. Splunk
  3. SPLK-1005

Splunk SPLK-1005 Exam (page: 2)
Splunk Cloud Certified Admin
Updated on: 07-Feb-2026

Viewing Page 2 of 17
SPLK-1005 PDF 80 Questions

In which of the following situations should Splunk Support be contacted?

  1. When a custom search needs tuning due to not performing as expected.
  2. When an app on Splunkbase indicates Request Install.
  3. Before using the delete command.
  4. When a new role that mirrors sc_admin is required.

Answer(s): B

Explanation:

In Splunk Cloud, when an app on Splunkbase indicates "Request Install," it means that the app is not available for direct self-service installation and requires intervention from Splunk Support. This could be because the app needs to undergo an additional review for compatibility with the managed cloud environment or because it requires special installation procedures. In these cases, customers need to contact Splunk Support to request the installation of the app. Support will ensure that the app is properly vetted and compatible with Splunk Cloud before proceeding with the installation.


Reference:

For further details, consult Splunk's guidelines on requesting app installations in Splunk Cloud and the processes involved in reviewing and approving apps for use in the cloud environment.
Source:
Splunk Docs: Install apps in Splunk Cloud Platform
Splunkbase: App request procedures for Splunk Cloud



The following Apache access log is being ingested into Splunk via a monitor input:



How does Splunk determine the time zone for this event?

  1. The value of the TZ attribute in props. cont for the a :ces3_ccwbined sourcetype.
  2. The value of the TZ attribute in props, conf for the my.webserver.example host.
  3. The time zone of the Heavy/Intermediate Forwarder with the monitor input.
  4. The time zone indicator in the raw event data.

Answer(s): D

Explanation:

In Splunk, when ingesting logs such as an Apache access log, the time zone for each event is typically determined by the time zone indicator present in the raw event data itself. In the log snippet you provided, the time zone is indicated by -0400, which specifies that the event's timestamp is 4 hours behind UTC (Coordinated Universal Time).
Splunk uses this information directly from the event to properly parse the timestamp and apply the correct time zone. This ensures that the event's time is accurately reflected regardless of the time zone in which the Splunk instance or forwarder is located. Splunk Cloud


Reference:

For further details, you can review Splunk documentation on timestamp recognition and time zone handling, especially in relation to log files and data ingestion configurations.
Source:
Splunk Docs: How Splunk software handles timestamps
Splunk Docs: Configure event timestamp recognition



What syntax is required in inputs.conf to ingest data from files or directories?

  1. A monitor stanza, sourcetype, and Index is required to ingest data.
  2. A monitor stanza, sourcetype, index, and host is required to ingest data.
  3. A monitor stanza and sourcetype is required to ingest data.
  4. Only the monitor stanza is required to ingest data.

Answer(s): A

Explanation:

In Splunk, to ingest data from files or directories, the basic configuration in inputs.conf requires at least the following elements:
monitor stanza: Specifies the file or directory to be monitored. sourcetype: Identifies the format or type of the incoming data, which helps Splunk to correctly parse it.
index: Determines where the data will be stored within Splunk. The host attribute is optional, as Splunk can auto-assign a host value, but specifying it can be useful in certain scenarios. However, it is not mandatory for data ingestion. Splunk Cloud


Reference:

For more details, you can consult the Splunk documentation on inputs.conf file configuration and best practices.
Source:
Splunk Docs: Monitor files and directories
Splunk Docs: Inputs.conf examples



A user has been asked to mask some sensitive data without tampering with the structure of the file /var/log/purchase/transactions. log that has the following format:



A)



B)



C)



D)

  1. Option A
  2. Option B
  3. Option C
  4. Option D

Answer(s): B

Explanation:

Option B is the correct approach because it properly uses a TRANSFORMS stanza in props.conf to reference the transforms.conf for removing sensitive data. The transforms stanza in transforms.conf uses a regular expression (REGEX) to locate the sensitive data (in this case, the SuperSecretNumber) and replaces it with a masked version using the FORMAT directive.
In detail:
props.conf refers to the transforms.conf stanza remove_sensitive_data by setting TRANSFORMS- cleanup = remove_sensitive_data.
transforms.conf defines the regular expression that matches the sensitive data and specifies how the sensitive data should be replaced in the FORMAT directive. This approach ensures that sensitive information is masked before indexing without altering the structure of the log files.


Reference:

For further reference, you can look at Splunk's documentation regarding data masking and transformation through props.conf and transforms.conf.
Source:
Splunk Docs: Anonymize data
Splunk Docs: Props.conf and Transforms.conf



Which of the following are valid settings for file and directory monitor inputs? A)



B)



C)



D)

  1. Option A
  2. Option B
  3. Option C
  4. Option D

Answer(s): B

Explanation:

In Splunk, when configuring file and directory monitor inputs, several settings are available that control how data is indexed and processed. These settings are defined in the inputs.conf file. Among the given options:
host: Specifies the hostname associated with the data. It can be set to a static value, or dynamically assigned using settings like host_regex or host_segment. index: Specifies the index where the data will be stored. sourcetype: Defines the data type, which helps Splunk to correctly parse and process the data. TCP_Routing: Used to route data to specific indexers in a distributed environment based on TCP routing rules.
host_regex: Allows you to extract the host from the path or filename using a regular expression. host_segment: Identifies the segment of the directory structure (path) to use as the host.
Given the options:
Option B is correct because it includes host, index, sourcetype, TCP_Routing, host_regex, and host_segment. These are all valid settings for file and directory monitor inputs in Splunk.
Splunk Documentation


Reference:

Monitor Inputs (inputs.conf)
Host Setting in Inputs
TCP Routing in Inputs
By referring to the Splunk documentation on configuring inputs, it's clear that Option B aligns with the valid settings used for file and directory monitoring, making it the correct choice.



Viewing Page 2 of 17



Share your comments for Splunk SPLK-1005 exam with other users:

Isak 7/6/2023 3:21:00 AM

i need it very much please share it in the fastest time.
Anonymous


Maria 6/23/2023 11:40:00 AM

correct answer is d for student.java program
IRELAND


Nagendra Pedipina 7/12/2023 9:10:00 AM

q:37 c is correct
INDIA


John 9/16/2023 9:37:00 PM

q6 exam topic: terramearth, c: correct answer: copy 1petabyte to encrypted usb device ???
GERMANY


SAM 12/4/2023 12:56:00 AM

explained answers
INDIA


Andy 12/26/2023 9:35:00 PM

plan to take theaws certified developer - associate dva-c02 in the next few weeks
SINGAPORE


siva 5/17/2023 12:32:00 AM

very helpfull
Anonymous


mouna 9/27/2023 8:53:00 AM

good questions
Anonymous


Bhavya 9/12/2023 7:18:00 AM

help to practice csa exam
Anonymous


Malik 9/28/2023 1:09:00 PM

nice tip and well documented
Anonymous


rodrigo 6/22/2023 7:55:00 AM

i need the exam
Anonymous


Dan 6/29/2023 1:53:00 PM

please upload
Anonymous


Ale M 11/22/2023 6:38:00 PM

prepping for fsc exam
AUSTRALIA


ahmad hassan 9/6/2023 3:26:00 AM

pd1 with great experience
Anonymous


Žarko 9/5/2023 3:35:00 AM

@t it seems like azure service bus message quesues could be the best solution
UNITED KINGDOM


Shiji 10/15/2023 1:08:00 PM

helpful to check your understanding.
INDIA


Da Costa 8/27/2023 11:43:00 AM

question 128 the answer should be static not auto
Anonymous


bot 7/26/2023 6:45:00 PM

more comments here
UNITED STATES


Kaleemullah 12/31/2023 1:35:00 AM

great support to appear for exams
Anonymous


Bsmaind 8/20/2023 9:26:00 AM

useful dumps
Anonymous


Blessious Phiri 8/13/2023 8:37:00 AM

making progress
Anonymous


Nabla 9/17/2023 10:20:00 AM

q31 answer should be d i think
FRANCE


vladputin 7/20/2023 5:00:00 AM

is this real?
UNITED STATES


Nick W 9/29/2023 7:32:00 AM

q10: c and f are also true. q11: this is outdated. you no longer need ownership on a pipe to operate it
Anonymous


Naveed 8/28/2023 2:48:00 AM

good questions with simple explanation
UNITED STATES


cert 9/24/2023 4:53:00 PM

admin guide (windows) respond to malicious causality chains. when the cortex xdr agent identifies a remote network connection that attempts to perform malicious activity—such as encrypting endpoint files—the agent can automatically block the ip address to close all existing communication and block new connections from this ip address to the endpoint. when cortex xdrblocks an ip address per endpoint, that address remains blocked throughout all agent profiles and policies, including any host-firewall policy rules. you can view the list of all blocked ip addresses per endpoint from the action center, as well as unblock them to re-enable communication as appropriate. this module is supported with cortex xdr agent 7.3.0 and later. select the action mode to take when the cortex xdr agent detects remote malicious causality chains: enabled (default)—terminate connection and block ip address of the remote connection. disabled—do not block remote ip addresses. to allow specific and known s
Anonymous


Yves 8/29/2023 8:46:00 PM

very inciting
Anonymous


Miguel 10/16/2023 11:18:00 AM

question 5, it seems a instead of d, because: - care plan = case - patient = person account - product = product2;
SPAIN


Byset 9/25/2023 12:49:00 AM

it look like real one
Anonymous


Debabrata Das 8/28/2023 8:42:00 AM

i am taking oracle fcc certification test next two days, pls share question dumps
Anonymous


nITA KALE 8/22/2023 1:57:00 AM

i need dumps
Anonymous


CV 9/9/2023 1:54:00 PM

its time to comptia sec+
GREECE


SkepticReader 8/1/2023 8:51:00 AM

question 35 has an answer for a different question. i believe the answer is "a" because it shut off the firewall. "0" in registry data means that its false (aka off).
UNITED STATES


Nabin 10/16/2023 4:58:00 AM

helpful content
MALAYSIA