Questions for the SPLK-1005 were updated on : Dec 01 ,2025
In Splunk Cloud, which of the following statements regarding REST API is true?
D
Explanation:
Splunk Cloud enables only a subset of REST API endpoints for customer use to ensure security and
control over the environment, allowing essential functionality while maintaining a secure setup.
[Reference: Splunk Docs on REST API access in Splunk Cloud]
What is the default port for sending data via HTTP Event Collector to Splunk Cloud?
B
Explanation:
The default port for HTTP Event Collector (HEC) in Splunk Cloud is 8088, which is used for data
ingestion via HEC. [Reference: Splunk Docs on HTTP Event Collector settings]
Which of the following is a valid monitor stanza for inputs.conf?
C
Explanation:
[monitor:///var/log/httpd-[0-9].log] is a valid path and syntax for inputs.conf to monitor files ending
in .log under /var/log, with other correct index, sourcetype, and host settings specified. [Reference:
Splunk Docs on monitor stanzas]
Configuration folders named default contain configuration files/settings specified in the Splunk
product or default settings specified in apps. Which of the following is recommended to override
these settings?
C
Explanation:
Placing configuration overrides in the local folder within a custom app allows for easy maintenance
and ensures that these overrides are preserved during upgrades, as files in default are overwritten.
[Reference: Splunk Docs on configuration file precedence]
Due to internal security policies, a Splunk Cloud administrator cannot send data directly to Splunk
Cloud from certain data sources. Additional parsing and API-based data sources also need to be sent
to Splunk Cloud. What forwarder type should the Splunk Cloud administrator use to satisfy these
requirements within their environment?
C
Explanation:
A heavy forwarder is appropriate in this scenario because it can perform additional data parsing,
filtering, and routing before forwarding data to Splunk Cloud. This is particularly useful for data that
requires preprocessing or cannot be sent directly due to security policies. [Reference: Splunk Docs on
forwarder types and capabilities]
When creating a new index, which of the following is true about archiving expired events?
D
Explanation:
In Splunk Cloud, expired events can be archived to customer-managed storage solutions, such as on-
premises storage. This allows organizations to retain data beyond the standard retention period if
needed. [Reference: Splunk Docs on data archiving in Splunk Cloud]
Where can an administrator download the Splunk Cloud Universal Forwarder credentials package?
C
Explanation:
The Universal Forwarder credentials package is available in the Splunk Cloud search head’s Universal
Forwarder app for secure, managed deployment. [Reference: Splunk Docs on Universal Forwarder
credentials package]
What two files are used in the data transformation process?
B
Explanation:
props.conf and transforms.conf define data parsing, transformations, and routing rules, making
them essential for data transformations. [Reference: Splunk Docs on props.conf and transforms.conf]
How is it possible to test a script from the Splunk perspective before using it within a scripted input?
D
Explanation:
splunk cmd <scriptname> allows running scripts in Splunk’s environment for testing purposes. This
ensures the script behaves as expected within Splunk’s CLI context. [Reference: Splunk Docs on
scripted inputs]
Which of the following statements is true regarding sedcmd?
D
Explanation:
SEDCMD in props.conf applies regular expressions to modify data as it is ingested. It is useful for
transforming raw event data before indexing. [Reference: Splunk Docs on SEDCMD]
Which of the following is a valid method to test if a forwarder can successfully send data to Splunk
Cloud?
B
Explanation:
Using the oneshot command allows a direct check for data reception in the cloud environment. Logs
can be verified in the cloud after the forwarder sends them. [Reference: Splunk Docs on testing
forwarder data inputs]
Given the following set of files, which of the monitor stanzas below will result in Splunk monitoring
all of the files ending with .log?
Files:
/var/log/www1/secure.log
/var/log/www1/access.log
/var/log/www2/logs/secure.log
/var/log/www2/access.log
/var/log/www2/access.log.1
B
Explanation:
The ellipsis (...) in [monitor:///var/log/.../*.log] allows Splunk to monitor files ending in .log in all
nested directories under /var/log/. [Reference: Splunk Docs on monitor stanza syntax]
What information is identified during the input phase of the ingestion process?
C
Explanation:
During the input phase, Splunk assigns metadata fields such as sourcetype, host, and source, which
are critical for data categorization and routing. [Reference: Splunk Docs on data ingestion stages]
Which of the following would always require raising a support ticket?
A
Explanation:
Any modifications in capacity or configurations within Splunk Cloud require an official support ticket,
as they are managed by Splunk Cloud support teams to ensure consistent and secure changes.
[Reference: Splunk Docs on Splunk Cloud support requests]
Which configuration shown is used to enable a forwarder as a deployment client of the server
10.1.2.3?
B
Explanation:
For setting up a deployment client, the correct stanza syntax in inputs.conf includes specifying
targetUri with the port 8089, which is the management port for Splunk instances, not the data port
9997. [Reference: Splunk Docs on deployment server configurations]