Splunk SPLK-1003 - Splunk Enterprise Certified Admin

https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP

The correct answer is C and D. A heavy forwarder and an indexer are the Splunk components that can break a stream of syslog inputs into individual events.

A universal forwarder is a lightweight agent that can forward data to a Splunk deployment, but it does not perform any parsing or indexing on the data. A search head is a Splunk component that handles search requests and distributes them to indexers, but it does not process incoming data.

A heavy forwarder is a Splunk component that can perform parsing, filtering, routing, and aggregation on the data before forwarding it to indexers or other destinations. A heavy forwarder can break a stream of syslog inputs into individual events based on the line breaker and should linemerge settings in the inputs.conf file1.

An indexer is a Splunk component that stores and indexes data, making it searchable. An indexer can also break a stream of syslog inputs into individual events based on the props.conf file settings, such as TIME_FORMAT, MAX_TIMESTAMP_LOOKAHEAD, and line_breaker2.

A Splunk component is a software process that performs a specific function in a Splunk deployment, such as data collection, data processing, data storage, data search, or data visualization.

Syslog is a standard protocol for logging messages from network devices, such as routers, switches, firewalls, or servers. Syslog messages are typically sent over UDP or TCP to a central syslog server or a Splunk instance.

Breaking a stream of syslog inputs into individual events means separating the data into discrete records that can be indexed and searched by Splunk. Each event should have a timestamp, a host, a source, and a sourcetype, which are the default fields that Splunk assigns to the data.

- etc/system/local/ has better precedence at index time - for identical settings in the same file, the last one overwrite others, see :https://community.splunk.com/t5/Getting-Data-In/What-is-the-precedence-for-identical-stanzas-within-a-single/m-p/283566

The Universal Forwarder (UF) handles data forwarding to indexers. When monitoring a continuous and high-volume syslog stream over TCP, the UF may not detect an end-of-file (EOF) condition, which is typicallyrequired to trigger load balancing between multiple indexers. This can result in the UF continuously sending data to a single indexer, potentially leading to uneven load distribution.

To address this, Splunk provides the forceTimebasedAutoLB setting in the outputs.conf configuration file. Enabling this setting allows the UF to switch between indexers at regular time intervals, regardless of EOF detection. This ensures a more balanced distribution of data across multiple indexers, even in scenarios with continuous data streams like syslog.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: "The deployment server distributes deployment apps to clients."

When Splunk is integrated with LDAP, most of the user attributes are managed by the LDAP server and cannot be changed in the Splunk UI. However, one exception is the default app attribute, which specifies which app a user sees when they log in to Splunk. This attribute can be changed in the Splunk UI by editing the user settings. Therefore, option A is the correct answer. References: Splunk Enterprise Certified Admin | Splunk, [Configure Splunk to use LDAP and map groups - Splunk Documentation]

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Splunk checks role-to-group mapping only during user login for external authentication (e.g., LDAP, SAML). Users already logged in will continue using their previously assigned roles until they log out and log back in.

The changes to role mapping do not disrupt ongoing sessions.

Incorrect Options:

B:Search is not disabled upon role updates.

C:This is incorrect since existing users are also updated upon the next login.

D:Role updates do not terminate ongoing sessions.