Splunk Enterprise Certified Admin SPLK-1003 Full Course Free

In Splunk Enterprise and Splunk Universal Forwarder, data inputs are configured using stanzas in inputs.conf. Each stanza defines a listener for a particular input type (for example, TCP or UDP) and a specific port.

Splunk documentation states that a single TCP input stanza can receive data from multiple remote hosts sending to the same TCP port, and similarly, a single UDP input stanza can receive data from multiple devices sending to the same UDP port. Therefore, the number of sending devices does not determine the number of stanzas required; rather, the input protocol and port type do.

In this case:

All three TCP devices can send data to one TCP port (one stanza).

All four UDP devices can send data to one UDP port (one stanza).

Thus, the minimum number of input stanzas required is two — one for TCP and one for UDP.

Example configuration (inputs.conf):

# TCP input for three switches sending via TCP

[tcp://9997]

sourcetype = switch_logs

# UDP input for four switches sending via UDP

[udp://514]

sourcetype = switch_logs

This configuration ensures all seven devices’ logs are collected without creating individual stanzas for each device.

Reference (Splunk Documentation):

Splunk® Enterprise Admin Manual → Configure Data Inputs → “Listen for network data”

inputs.conf.spec and example → “You can configure a single TCP or UDP input to receive data from multiple remote hosts.”

Splunk Universal Forwarder Manual → Configure Forwarding Inputs → “Universal Forwarders can listen on a single TCP or UDP port for multiple remote data sources.”

The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps.

A deployment server is a Splunk Enterprise instance that acts as a centralized configuration manager for any number of other instances, called “deployment clients”. A deployment client can be a universal forwarder, a non-clustered indexer, or a search head1.

A deployment app is a directory that contains any content that you want to download to a set of deployment clients. The content can include a Splunk Enterprise app, a set of Splunk Enterprise configurations, or other content, such as scripts, images, and supporting files2.

You create a deployment app by creating a directory for it on the deployment server. The default location is $SPLUNK_HOME/etc/deployment-apps, but this is configurable through the repositoryLocation attribute in serverclass.conf. Underneath this location, each app must have its own subdirectory. The name of the subdirectory serves as the app name in the forwarder management interface2.

The other options are incorrect because:

A. On Universal Forwarder, $SPLUNK_HOME/etc/apps. This is the location where the deployment app resides after it is downloaded from the deployment server to the universal forwarder. It is not the location of the app before it is deployed2.

B. On Deployment Server, $SPLUNK_HOME/etc/apps. This is the location where the apps that are specific to the deployment server itself reside. It is not the location where the deployment apps for the clients are stored2.

D. On Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps. This is not a valid location for any app on a universal forwarder. The universal forwarder does not act as a deployment server and does not store deployment apps3.