Splunk Enterprise Certified Admin - SPLK-1003 Exam Questions [2026]

QUESTION NO: 1
User role inheritance allows what to be inherited from the parent role? (select all that apply)

A. Parents B. Capabilities C. Index access D. Search history

Correct Answer: B,C

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 2
An admin oversees an environment with a 1000 GB / day license. The configuration file server.confhas strict_pool_quota=false set. The license is divided into the following three pools, and today's usage is shown on the right-hand column:

Given this, which pool(s) are issued warnings?

A. Y and Z B. All pools C. Z only D. None

Correct Answer: D

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 3
Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

A. It requires that the receiver be set to compression=true. B. It requires that the forwarder be set to compressed=true. C. It does not encrypt the certificate password. D. SSL automatically compresses the feed by default.

Correct Answer: C

QUESTION NO: 4
The priority of layered Splunk configuration files depends on the file's:

A. Creation time B. Context C. Owner D. Weight

Correct Answer: B

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 5
In which phase of the index time process does the license metering occur?

A. Parsing phase B. input phase C. Indexing phase D. Licensing phase

Correct Answer: C

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 6
Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678.
Which configuration file and stanza pair will mask possible SSNs in the log events?

A. props.conf
[mask-SSN]
REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
KEY = _raw B. props.conf
[mask-SSN]
REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
DEST_KEY = _raw C. transforms.conf
[mask-SSN]
REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
DEST_KEY = _raw D. transforms.conf
[mask-SSN]
REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
DEST_KEY = _raw

Correct Answer: C

QUESTION NO: 7
Event processing occurs at which phase of the data pipeline?

A. Input B. Indexing C. Parsing D. Search

Correct Answer: C

Explanation: Only visible for Pass4Test members. You can sign-up / login (it's free).

QUESTION NO: 8
What is a role in Splunk? (select all that apply)

A. A classification that determines if a Splunk server can remotely control another Splunk server. B. A classification that determines what capabilities a user has. C. A classification that determines what indexes a user can search. D. A classification that determines what functions a Splunk server controls.

Correct Answer: B,C