Splunk Admin
What is the default character encoding used by Splunk during the input phase?
UTF-8
UTF-16
EBCDIC
ISO 8859
Which of the following enables compression for universal forwarders in outputs.conf?
[udpout:mysplunk_indexer11] compression=true
[tcpout] defaultGroup=my_indexers compressed=true
/opt/splunkforwarder/bin/splunk enable compression
[tcpount:my_indexers] server=mysplunk_indexer1:9997, mysplunk_indexer2:9997 decompression=false
User role inheritance allows what to be inherited from the parent role? (Choose all that apply.)
Parents
Capabilities
Index access
Search history
Which of the following statements apply to directory inputs? (Choose all that apply.)
All discovered text files are consumed.
Compressed files are ignored by default.
Splunk recursively traverses through the directory structure.
When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.
How would you configure your distsearch.conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_server_group=HOUSTON
[distributedSearch:NYC]
default = false servers = nyc1:8089, nyc2:8089
[distributedSearch:HOUSTON]
default = false servers = houston1:8089, houston2:8089
default = false servers = nyc1:8089, nyc2:8089
[distributedSearch:HOUSTON]
default = false servers = houston1:8089, houston2:8089
[distributedSearch]
servers =nyc1, nyc2, houston1, houston2
[distributedSearch:NYC]
default = false servers = nyc1, nyc2
[distributedSearch:HOUSTON]
default = false servers = houston1, houston2
servers =nyc1, nyc2, houston1, houston2
[distributedSearch:NYC]
default = false servers = nyc1, nyc2
[distributedSearch:HOUSTON]
default = false servers = houston1, houston2
[distributedSearch]
servers =nyc1:8089, nyc2:8089, houston1:8089, houston2:8089 [distributedSearch:NYC]
default = false servers = nyc1:8089, nyc2:8089
[distributedSearch:HOUSTON]
default = false servers = houston1:8089, houston2:8089
servers =nyc1:8089, nyc2:8089, houston1:8089, houston2:8089 [distributedSearch:NYC]
default = false servers = nyc1:8089, nyc2:8089
[distributedSearch:HOUSTON]
default = false servers = houston1:8089, houston2:8089
[distributedSearch]
servers =nyc1:8089; nyc2:80893; houston1:8089; houston2:8089 [distributedSearch:NYC]
default = false servers = nyc1:8089; nyc2:8089
[distributedSearch:HOUSTON]
default = false servers = houston1:80897706; houston2:80898350
servers =nyc1:8089; nyc2:80893; houston1:8089; houston2:8089 [distributedSearch:NYC]
default = false servers = nyc1:8089; nyc2:8089
[distributedSearch:HOUSTON]
default = false servers = houston1:80897706; houston2:80898350
Which of the following is a valid distributed search group?
[distributedSearch:Paris]
default = false
servers = server1, server2
default = false
servers = server1, server2
[searchGroup:Paris]
default = false
servers = server1:8089, server2:8089
default = false
servers = server1:8089, server2:8089
[searchGroup:Paris]
default = false
servers = server1:9997, server2:9997
default = false
servers = server1:9997, server2:9997
[distributedSearch:Paris]
default = false
servers = server1:8089, server2:8089
default = false
servers = server1:8089, server2:8089
Local user accounts created in Splunk store passwords in which file?
$SPLUNK_HOME/etc/passwd
$SPLUNK_HOME/etc/authentication
$SPLUNK_HOME/etc/users/passwd.conf
$SPLUNK_HOME/etc/users/authentication.conf
For single line event sourcetypes, it is most efficient to set SHOULD_LINEMERGE to what value?
True
False
C.
Newline Character
Which Splunk component does a search head primarily communicate with?
Indexer
Forwarder
Cluster master
Deployment server
Which layers are involved in Splunk configuration file layering? (Choose all that apply.)
App context
User context
Global context
Forwarder context
Which of the following are methods for adding inputs in Splunk? (Choose all that apply.)
CLI
Splunk Web
Editing inputs.conf
Editing monitor.conf
Which of the following authentication types requires scripting in Splunk?
ADFS
LDAP
SAML
RADIUS
Which option accurately describes the purpose of the HTTP Event Collector (HEC)?
A token-based HTTP input that is secure and scalable and that requires the use of forwarders.
A token-based HTTP input that is secure and scalable and that does not require the use of forwarders.
An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.
A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.
What is the difference between the two wildcards ... and * for the monitor stanza in inputs.conf?
... Is not supported in monitor stanzas.
There is no difference, they are interchangeable and match anything beyond directory boundaries.
* matches anything in that specific directory path segment, whereas ... Recurses through subdirectories as well.
... Matches anything in that specific directory path segment, whereas * recurses through subdirectories as well.
What type of data is counted against the Enterprise license at a fixed 150 bytes per event?
License data
Metrics data
Internal Splunk data
Internal Windows logs
Which setting in indexes.conf allows data retention to be controlled by time?
maxDaysToKeep
moveToFrozenAfter
maxDataRetentionTime
frozenTimePeriodInSecs
The universal forwarder has which capabilities when sending data? (Choose all that apply.)
Sending alerts
Compressing data
Obfuscating/hiding data
Indexer acknowledgement
In case of a conflict between a whitelist and a blacklist input setting, which one is used?
Blacklist
Whitelist
They cancel each other out.
Whichever is entered into the configuration first.
In which Splunk configuration is the SEDCMD used?
props.conf
inputs.conf
indexes.conf
transforms.conf
Which of the following are supported configuration methods to add inputs on a forwarder? (Choose all that apply.)
CLI
Edit inputs.conf
Edit forwarder.conf
Forwarder Management
Which parent directory contains the configuration files in Splunk?
$SPLUNK_HOME/etc
$SPLUNK_HOME/var
$SPLUNK_HOME/conf
$SPLUNK_HOME/default
Which forwarder type can parse data prior to forwarding?
Universal forwarder
Heaviest forwarder
Hyper forwarder
Heavy forwarder
Which Splunk component consolidates the individual results and prepares reports in a distributed environment?
Indexers
Forwarder
Search head
Search peers
Which Splunk component distributes apps and certain other configuration updates to search head cluster members?
Deployer
Cluster master
Deployment server
Search head cluster master
Where should apps be located on the deployment server that the clients pull from?
$SPLUNK_HOME/etc/apps
$SPLUNK_HOME/etc/search
$SPLUNK_HOME/etc/master-apps
$SPLUNK_HOME/etc/deployment-apps
This file has been manually created on a universal forwarder: /opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf [monitor:///var/log/messages] sourcetype=syslog index=syslog A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file: /opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf [monitor:///var/log/maillog] sourcetype=maillog index=syslog Which file is now monitored?
/var/log/messages
/var/log/maillog
/var/log/maillog and /var/log/messages
None of the above
In which phase of the index time process does the license metering occur?
Input phase
Parsing phase
Indexing phase
Licensing phase
You update a props.conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btool props list ×’€"-debug. What will the output be?
A list of all the configurations on-disk that Splunk contains.
A verbose list of all configurations as they were when splunkd started.
A list of props.conf configurations as they are on-disk along with a file path from which the configuration is located.
A list of the current running props.conf configurations along with a file path from which the configuration was made.
When running the command shown below, what is the default path in which deploymentserver.conf is created? Splunk set deploy-poll deployServer:port
SPLUNK_HOME/etc/deployment
SPLUNK_HOME/etc/system/local
SPLUNK_HOME/etc/system/default
SPLUNK_HOME/etc/apps/deployment
The priority of layered Splunk configuration files depends on the file×’€™s:
Owner
Weight
Context
Creation time
When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?
Slash notation
Regular expression
Irregular expression
Wildcard-only expression
What is required when adding a native user to Splunk? (Choose all that apply.)
Password
Username
Full Name
Default app
What are the minimum required settings when creating a network input in Splunk?
Protocol, port number
Protocol, port, location
Protocol, username, port
Protocol, IP, port number
Which Splunk component requires a Forwarder license?
Search head
Heavy forwarder
Heaviest forwarder
Universal forwarder
Which optional configuration setting in inputs.conf allows you to selectively forward the data to specific indexer(s)?
_TCP_ROUTING
_INDEXER_LIST
_INDEXER_GROUP
_INDEXER_ROUTING
To set up a network input in Splunk, what needs to be specified?
File path.
Username and password.
Network protocol and port number.
Network protocol and MAC address.
Which Splunk forwarder type allows parsing of data before forwarding to an indexer?
Universal forwarder
Parsing forwarder
Heavy forwarder
Advanced forwarder
Which of the following statements describe deployment management? (Choose all that apply.)
Requires an Enterprise license.
Is responsible for sending apps to forwarders.
Once used, is the only way to manage forwarders.
Can automatically restart the host OS running the forwarder.
During search time, which directory of configuration files has the highest precedence?
$SPLUNK_HOME/etc/system/local
$SPLUNK_HOME/etc/system/default
$SPLUNK_HOME/etc/apps/app1/local
$SPLUNK_HOME/etc/users/admin/local
Within props.conf, which stanzas are valid for data modification? (Choose all that apply.)
Host
Server
Source
Sourcetype
What is the correct order of steps in Duo Multifactor Authentication?
1. Request Login 2. Connect to SAML server 3. Duo MFA 4. Create User session 5. Authentication Granted 6. Log into Splunk
1. Request Login 2. Duo MFA 3. Authentication Granted 4. Connect to SAML server 5. Log into Splunk 6. Create User session
1. Request Login 2. Check authentication / group mapping 3. Authentication Granted 4. Duo MFA 5. Create User session 6. Log into Splunk
1. Request Login 2. Duo MFA 3. Check authentication / group mapping 4. Create User session 5. Authentication Granted 6. Log into Splunk
Where can scripts for scripted inputs reside on the host file system? (Choose all that apply.)
$SPLUNK_HOME/bin/scripts
B$SPLUNK_HOME/etc/apps/bin
$SPLUNK_HOME/etc/system/bin
$SPLUNK_HOME/etc/apps/your_app/bin
How does the Monitoring Console monitor forwarders?
By pulling internal logs from forwarders.
By using the forwarder monitoring add-on.
With internal logs forwarded by forwarders.
With internal logs forwarded by deployment server.
What options are available when creating custom roles? (Choose all that apply.)
Restrict search terms.
Whitelist search terms.
Limit the number of concurrent search jobs.
Allow or restrict indexes that can be searched.
Which of the following are supported options when configuring optional network inputs?
Metadata override, sender filtering options, network input queues (quantum queues)
Metadata override, sender filtering options, network input queues (memory/persistent queues)
Filename override, sender filtering options, network output queues (memory/persistent queues)
Metadata override, receiver filtering options, network input queues (memory/persistent queues)
Which valid bucket types are searchable? (Choose all that apply.)
Hot buckets
Cold buckets
Warm buckets
Frozen buckets
How do you remove missing forwarders from the Monitoring Console?
By restarting Splunk.
By rescanning active forwarders.
By reloading the deployment server.
By rebuilding the forwarder asset table.
Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?
Any OS platform.
Linux platform only.
Windows platform only.
None of the above.
What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events?
REGEX, DEST, FORMAT
REGEX, SRC_KEY, FORMAT
REGEX, DEST_KEY, FORMAT
REGEX, DEST_KEY, FORMATTING
Which of the following indexes come pre-configured with Splunk Enterprise? (Choose all that apply.)
_licence
_internal
_external
_thefishbucket
How often does Splunk recheck the LDAP server?
Every 5 minutes.
Each time a user logs in.
Each time Splunk is restarted.
Varies based on LDAP_refresh setting.
Where are license files stored?
$SPLUNK_HOME/etc/secure
$SPLUNK_HOME/etc/system
$SPLUNK_HOME/etc/licenses
$SPLUNK_HOME/etc/apps/licenses
In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?
To ensure that hot buckets are still open for writers and have not been forced to roll to a cold state.
To ensure that configuration files have not been tampered with for auditing and/or legal purposes.
To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
To ensure that data has not been tampered with for auditing and/or legal purposes.
Which Splunk component performs indexing and responds to search requests from the search head?
Forwarder
Search peer
License master
Search head cluster
When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?
App Class
Client Class
Server Class
Forwarder Class
In this sourcetype definition the MAX_TIMESTAMP_LOOKAHEAD is missing. Which value would fit best?
[sshd_syslog]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
[sshd_syslog]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}
SHOULD_LINEMERGE = false -
TRUNCATE = 0 -
Event example:
2018-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366
Event example:
2018-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366
MAX_TIMESTAMP_LOOKAHEAD = 5
MAX_TIMESTAMP_LOOKAHEAD = 10
MAX_TIMESTAMP_LOOKAHEAD = 20
MAX_TIMESTAMP_LOOKAHEAD = 30
Which of the following are required when defining an index in indexes.conf? (Choose all that apply.)
ColdPath
HomePath
FrozenPath
ThawedPath
Which of the following apply to how distributed search works? (Choose all that apply.)
The search head dispatches searches to the peers.
The search peers pull the data from the forwarders.
Peers run searches in parallel and return their portion of results.
The search head consolidates the individual results and prepares reports.
What hardware attribute would you need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?
Disk
CPUs
Memory
Network interface cards
With authentication methods are natively supported within Splunk Enterprise? (Choose all that apply.)
LDAP
SAML
RADIUS
Duo Multifactor Authentication
Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)
Props.conf
Inputs.conf
Rawdata.conf
Transforms.conf
What conf file needs to be edited to set up distributed search groups?
Props.conf
Search.conf
Distsearch.conf
Distibutedsearch.conf
After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?
Index=main
Index=test
Index=summary
Index=_internal
Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that apply.)
Index once.
Monitor interval.
On-demand monitor.
Continuously monitor.
Which is a valid stanza for a network input?
[udp://172.16.10.1:9997]
connection = dns sourcetype = dns
connection = dns sourcetype = dns
[any://172.16.10.1:10001]
connection_host = ip sourcetype = web
connection_host = ip sourcetype = web
[tcp://172.16.10.1:9997]
connection_host = web sourcetype = web
connection_host = web sourcetype = web
[tcp://172.16.10.1:10001]
connection_host = dns sourcetype = dns
connection_host = dns sourcetype = dns
Which additional component is required for a search head cluster?
Deployer
Cluster Master
Monitoring Console
Management Console
When are knowledge bundles distributed to search peers?
After a user logs in.
When Splunk is restarted.
When adding a new search peer.
When a distributed search is initiated.
Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint information for that file?
_audit
_checkpoint
_introspection
_thefishbucket
If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component would the fishbucket need to be reset in order to reindex the data?
Indexer
Forwarder
Search head
Deployment server
How can native authentication be disabled in Splunk?
Remove the $SPLUNK_HOME/etc/passwd file
Create an empty $SPLUNK_HOME/etc/passwd file
Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf
Set nativeAuthentication=false in authentication.conf
Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
Event:
[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g
SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g
SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g
SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g
When running a real-time search, search results are pulled from which Splunk component?
Heavy forwarders and seach peers
Heavy forwarders
Search heads
Search peers
Which of the following is the use case for the deployment server feature of Splunk?
Managing distributed workloads in a Splunk environment.
Automating upgrades of Splunk forwarder installations on endpoints.
Orchestrating the operations and scale of a containerized Splunk deployment.
Updating configuration and distributing apps to processing components, primarily forwarders.
Which feature of Splunk’s role configuration can be used to aggregate multiple roles intended for groups of users?
Linked roles
Grantable roles
Role federation
Role inheritance
Which of the following statements accurately describes using SSL to secure the feed from a forwarder?
It does not encrypt the certificate password.
SSL automatically compresses the feed by default.
It requires that the forwarder be set to compressed=true.
It requires that the receiver be set to compression=true.
Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations found in props.conf to be validated all through the UI?
Apps
Search
Data preview
Forwarder inputs
Which of the following statements describes how distributed search works?
Forwarders pull data from the search peers.
Search heads store a portion of the searchable data.
The search head dispatches searches to the search peers.
Search results are replicated within the indexer cluster.
In which phase do indexed extractions in props.conf occur?
Inputs phase
Parsing phase
Indexing phase
Searching phase
Which of the following must be done to define user permissions when integrating Splunk with LDAP?
Map Users
Map Groups
Map LDAP Inheritance
Map LDAP to Active Directory
An organization wants to collect Windows performance data from a set of clients, however, installing Splunk software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?
Use Local Windows host monitoring.
Use Windows Remote Inputs with WMI.
Use Local Windows network monitoring.
Use an index with an Index Data Type of Metrics.
Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?
Upload option
Forward option
Monitor option
Download option
How is data handled by Splunk during the input phase of the data ingestion process?
Data is treated as streams.
Data is broken up into events.
Data is initially written to disk.
Data is measured by the license meter.
How is a remote monitor input distributed to forwarders?
As an app.
As a forward.conf file.
As a monitor.conf file.
As a forwarder monitor profile.
When does a warm bucket roll over to a cold bucket?
When Splunk is restarted.
When the maximum warm bucket age has been reached.
When the maximum warm bucket size has been reached.
When the maximum number of warm buckets is reached.
After how many warnings within a rolling 30-day period will a license violation occur with an enforced Enterprise license?
1
3
4
5
An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the index?
Buy a bigger Splunk license
Add 2.5 TB each day for the next 5 days.
Add all 10 TB in a single 24 hour period.
Add 200 GB of historical data each day for 50 days.
Which Splunk configuration file is used to enable data integrity checking?
Props.conf
Global.conf
Indexes.conf
Data_integrity.conf
Where are deployment server apps mapped to clients?
Apps tab in forwarder management interface or clientapps.conf.
Clients tab in forwarder management interface or deploymentclient.conf.
Server Classes tab in forwarder management interface or serverclass.conf.
Client Applications tab in forwarder management interface or clientapps.conf.
Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678. Which configuration file and stanza pair will mask possible SSNs in the log events?
props.conf
[mask-SSN]
REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
KEY = _raw
[mask-SSN]
REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
KEY = _raw
props.conf
[mask-SSN]
REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
DEST_KEY = _raw
[mask-SSN]
REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
DEST_KEY = _raw
transforms.conf
[mask-SSN]
REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
DEST_KEY = _raw
[mask-SSN]
REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
DEST_KEY = _raw
transforms.conf
[mask-SSN]
REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
DEST_KEY = _raw
[mask-SSN]
REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"
FORMAT = $1<SSN>###-##-$2
DEST_KEY = _raw
The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs the following search over the last 24 hours: index=* What field can the administrator check to see the data distribution?
Host
Index
Linecount
Splunk_server
The CLI command splunk add forward-server indexer: will create stanza(s) in which configuration file?
Inputs.conf
Indexes.conf
Outputs.conf
Servers.conf
Which of the following is a benefit of distributed search?
Peers run search in sequence.
Peers run search in parallel.
Resilience from indexer failure.
Resilience from search head failure.
What is the valid option for a [monitor] stanza in inputs.conf?
Enabled
Datasource
Server_name
IgnoreOlderThan
Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?
Props.conf
Inputs.conf
Outputs.conf
Collections.conf
On the deployment server, administrators can map clients to server classes using client filters. Which of the following statements is accurate?
The blacklist takes precedence over the whitelist.
The whitelist takes precedence over the blacklist.
Wildcards are not supported in any client filters.
Machine type filters are applied before the whitelist and blacklist.
Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)
Inputs.conf
Monitor.conf
Outputs.conf
Forwarder.conf
The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require multiple indexers. Following best practices, which types of Splunk component instances are needed?
Indexers, search head, universal forwarders, license master
Indexers, search head, deployment server, universal forwarders
Indexers, search head, deployment server, license master, universal forwarder
Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder
Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting up Duo for Multi-Factor Authentication in Splunk Enterprise?
Duo Administrator
LDAP Administrator
SAML Administrator
Trio Administrator
What action is required to enable forwarder management in Splunk Web?
Navigate to Settings > Server Settings > General Settings, and set an App server port.
Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.
Create a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.
Place an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.
Which of the following is accurate regarding the input phase?
Breaks data into events with timestamps.
Applies event-level transformations.
Fine-tunes metadata.
Performs character encoding.
When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?
Enable indexer acknowledgment.
Enable forwarder acknowledgment.
Splunk check-integrity -index
index=_internal component=ACK | stats count by host
Which of the following accurately describes HTTP Event Collector indexer acknowledgement?
It requires a separate channel provided by the client.
It is configured the same as indexer acknowledgement used to protect in-flight data.
It can be enabled at the global setting level.
It stores status information on the Splunk server.
When indexing a data source, which fields are considered metadata?
Source, host, time
Time, sourcetype, source
Host, raw, sourcetype
Sourcetype, source, host
What is the default value of LINE_BREAKER?
\r\n
([\r\n]+)
\r+\n+
(\r\n+)
Which of the following monitor inputs stanza headers would match all of the following files?
/var/log/www1/secure.log
/var/log/www/secure.l
/var/log/www/logs/secure.logs
/var/log/www2/secure.log
/var/log/www1/secure.log
/var/log/www/secure.l
/var/log/www/logs/secure.logs
/var/log/www2/secure.log
[monitor:///var/log/.../secure.*]
[monitor:///var/log/www1/secure.*]
[monitor:///var/log/www1/secure.log]
[monitor:///var/log/www*/secure.*]
What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?
SPLUNK_HOME/etc/system/local/inputs.conf [stanza1] host=server1 SPLUNK_HOME/etc/apps/search/local/inputs.conf [stanaza1] host=searchsvr1 index=searchinfo
SPLUNK_HOME/etc/apps/unix/local/inputs.conf [stanza1] host=unixsvr1 index=unixinfo
SPLUNK_HOME/etc/system/local/inputs.conf [stanza1] host=server1 SPLUNK_HOME/etc/apps/search/local/inputs.conf [stanaza1] host=searchsvr1 index=searchinfo
SPLUNK_HOME/etc/apps/unix/local/inputs.conf [stanza1] host=unixsvr1 index=unixinfo
Host=server1 index=unixinfo
Host=server1 index=searchinfo
Host=searchsvr1 index=searchinfo
Host=unixsvr1 index=unixinfo
An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)
Bucketdb
Frozendb
Colddb
Db
The LINE_BREAKER attribute is configured in which configuration file?
Props.conf
Indexes.conf
Inputs.conf
Transforms.conf
After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?
ChannelTTL
ConnectionTimeout
AutoLBFrequency
SecsInFailureInterval
A log file contains 193 days worth of timestamped events.
Which monitor stanza would be used to collect data 45 days old and newer from that log file?
Which monitor stanza would be used to collect data 45 days old and newer from that log file?
FollowTail = -45d
Ignore = 45d
IncludeNewerThan = 45d
IgnoreOlderThan = 45d
After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?
90 days
60 days
7 days
14 days
Consider a company with a Splunk distributed environment in production. The Compliance Department wants to start using Splunk; however, they want to ensure that no one can see their reports or any other knowledge objects. Which Splunk Component can be added to implement this policy for the new team?
Indexer
Deployment server
Universal forwarder
Search head
Which of the following is an appropriate description of a deployment server in a non-cluster environment?
Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps, can automatically restart remote Splunk instances.
Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.
Allows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.
Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.
Which Splunk forwarder has a built-in license?
Light forwarder
Heavy forwarder
Universal forwarder
Cloud forwarder
What happens when the same username exists in Splunk as well as through LDAP?
Splunk user is automatically deleted from authentication.conf.
LDAP settings take precedence.
Splunk settings take precedence.
LDAP user is automatically deleted from authentication.conf.
Consider the following stanza in inputs.conf:
[script://opt/splunk/etc/apps/search/bin/lister.sh] disabled = 0 interval = 60.0 sourcetype = lister
What will the value of the source filed be for events generated by this scripts input?
[script://opt/splunk/etc/apps/search/bin/lister.sh] disabled = 0 interval = 60.0 sourcetype = lister
What will the value of the source filed be for events generated by this scripts input?
/opt/splunk/etc/apps/search/bin/lister.sh
Unknown
Lister
Lister.sh
Which of the following applies only to Splunk index data integrity check?
Lookup table
Summary Index
Raw data in the index
Data model acceleration
Which of the following types of data count against the license daily quota?
Replicated data
Splunkd logs
Summary index data
Windows internal logs
Which default Splunk role could be assigned to provide users with the following capabilities? Create saved searches - Edit shared objects and alerts - Not allowed to create custom roles
Admin
Power
User
Splunk-system-role
When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?
Default app
LDAP group
Password
Username
Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?
Splunk btool server list --debug
Splunk list forward-indexer
Splunk list forward-server
splunk btool indexes list --debug
Which artifact is required in the request header when creating an HTTP event?
AckID
Token
Manifest
Host name
All search-time field extractions should be specified on which Splunk component?
Deployment server
Universal forwarder
Indexer
Search head
In addition to single, non-clustered Splunk instances, what else can the deployment server push apps to?
Universal forwarders
Splunk Cloud
Linux package managers
Windows using WMI
What is the command to reset the fishbucket for one source?
Rm -r ~/splunkforwarder/var/lib/splunk/fishbucket
splunk clean eventdata -index _thefishbucket
splunk cmd btprobe -d SPLUNK_HOME/var/lib/splunk/fishbucket/splunk_private_db --file <source> --reset
Splunk btool fishbucket reset
Which setting allows the configuration of Splunk to allow events to span over more than one line?
SHOULD_LINEMERGE = true
BREAK_ONLY_BEFORE_DATE = true
BREAK_ONLY_BEFORE =
SHOULD_LINEMERGE = false
In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?
21MB
28MB
14MB
7MB
Which of the following are reasons to create separate indexes? (Choose all that apply.)
Different retention times.
Increase number of users.
Restrict user permissions.
File organization.
Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?
DiskQueueSize
DurableQueueSize
PersistentQueueSize
QueueSize
A new forwarder has been installed with a manually created deploymentclient.conf.
What is the next step to enable the communication between the forwarder and the deployment server?
What is the next step to enable the communication between the forwarder and the deployment server?
Restart Splunk on the deployment server.
Enable the deployment client in Splunk Web under Forwarder Management.
Restart Splunk on the deployment client.
Wait for up to the time set in the phoneHomeIntervalInSecs setting.
When using a directory monitor input, specific source type can be selectively overridden using which configuration file?
Props.conf
Sourcetypes.conf
Transforms.conf
Outputs.conf
When using license pools, volume allocations apply to which Splunk components?
Indexers
Indexes
Heavy Forwarders
Search Heads
An add-on has configured field aliases for source IP address and destination IP address fields.
A specific user prefers not to have those fields present in their user context. Based on the default props.conf below, which SPLUNK_HOME/etc/users/buttercup/myTA/local/props.conf stanza can be added to the user’s local context to disable the field aliases?
SPLUNK_HOME/etc/apps/myTA/default/props.conf
[mySourcetype]
FIELDALIAS-cim-src_ip = sourceIPAddress as src_ip
FIELDALIAS-cim-dest_ip = destinationIPaddress as dest_ip
A specific user prefers not to have those fields present in their user context. Based on the default props.conf below, which SPLUNK_HOME/etc/users/buttercup/myTA/local/props.conf stanza can be added to the user’s local context to disable the field aliases?
SPLUNK_HOME/etc/apps/myTA/default/props.conf
[mySourcetype]
FIELDALIAS-cim-src_ip = sourceIPAddress as src_ip
FIELDALIAS-cim-dest_ip = destinationIPaddress as dest_ip
[mySourcetype]
disable FIELDALIAS-cim-src_ip
disable FIELDALIAS-cim-dest_ip
disable FIELDALIAS-cim-src_ip
disable FIELDALIAS-cim-dest_ip
[mySourcetype]
FIELDALIAS-cim-src_ip =
FIELDALIAS-cim-dest_ip =
FIELDALIAS-cim-src_ip =
FIELDALIAS-cim-dest_ip =
[mySourcetype]
unset FIELDALIAS-cim-src_ip
unset FIELDALIAS-cim-dest-ip
unset FIELDALIAS-cim-src_ip
unset FIELDALIAS-cim-dest-ip
[mySourcetype]
#FIELDALIAS-cim-src_ip = sourceIPAddress as src_ip
#FIELDALIAS-cim-dest_ip = destinationIPaddress as dest_ip
#FIELDALIAS-cim-src_ip = sourceIPAddress as src_ip
#FIELDALIAS-cim-dest_ip = destinationIPaddress as dest_ip
Which forwarder is recommended by Splunk to use in a production environment?
Heavy forwarder
SSL forwarder
Lightweight forwarder
Universal forwarder
Which of the following Splunk components require a separate installation package?
Deployment server
License master
Universal forwarder
Heavy forwarder
Which data pipeline phase is the last opportunity for defining event boundaries?
Input phase
Indexing phase
Parsing phase
Search phase
@ Symbol can be used in advanced time unit option.
No
Yes
The new data uploaded in Splunk are shown in ________________.
Real-time
10 Minutes
Overnight Download
30 Minutes
{"name":"Splunk Admin", "url":"https://www.quiz-maker.com/QPREVIEW","txt":"What is the default character encoding used by Splunk during the input phase?, Which of the following enables compression for universal forwarders in outputs.conf?, User role inheritance allows what to be inherited from the parent role? (Choose all that apply.)","img":"https://www.quiz-maker.com/3012/images/ogquiz.png"}
More Quizzes
BE2601/02 Lesson 2
1050
Sloths
10518
Czy przypominasz Rokusia czy Banana?
10512
TYW Quiz
12615
Computer
1166
Maritime Law and Personnel Management -01
26130
Are you a normal person
100
USMLE Pediatry For Student Urgence Pediatrie 37 QCM
37180
Sidebar 3
420
Combat Ability Assessment Quiz
1165
FOI - Fundamentals of Instruction B, C, D
1585
High school muiscal
100