Knowledge Check

Question 1

Which installer will the System Admin use to install the heavy forwarder

Answer 1

Splunk Enterprise

Question 2

Which configuration file tells a Splunk instance to ingest data?

Answer 2

inputs.conf

Question 3

True or False. The best place to add a parsing configuration on an indexer would be the SPLUNK_HOME/etc/system/local directory as it has the highest precedence.

Answer 3

False. It is best to put the configuration file in the local directory of your app

Question 4

When you configure the inputs using Settings > Add Data, under what directory is the inputs.conf created?

Answer 4

It depends on the App Context setting on the Input Setting stage. Best practice is to put the configuration file in the local directory of you app. If you have clustering enabled, then the SPLUNK_HOME/etc/system/local may not be the highest in the precedence order. More details are available in the Cluster Admin course.

Question 5

True or False. You cannot change the sourcetype when you go through the Settings > Add Data wizard.

Answer 5

False. You can change the source type from the dropdown. In fact, you can even create a new source type. We will learn how to do this in Module 9

Question 6

Splunk will not create an inputs.conf file when you use the Upload option in Settings > Add Data

Answer 6

True. Upload is a one-time process, so Splunk does not create an inputs.conf

Question 7

If the forwarder is set to send its data to 2 indexers at 30 second intervals, does it switch exactly at the 30th second?

Answer 7

Not always, the forwarder does not want to send half an event to indexer1 and the other half to indexer2. To avoid this situation, for example, if the forwarder is tailing a file, then it waits for an EOF or a pause in IO activity before it switches

Question 8

True or False, Turning SSL on between the forwarder and the receiver automatically compresses the feed

Answer 8

True

Question 9

What configuration file on the forwarder defines where data is to be forwarded to?

Answer 9

outputs.conf

Question 10

True or False. The HF has a GUI.

Answer 10

True

Question 11

True or False. The UF and the HF can be used to mask data before transmitting to indexers.

Answer 11

False. Only the HF, specifically Splunk Enterprise instances, can perfom data masking.

Question 12

True or False. The listening port (HF) has to be 8089

Answer 12

False. 8089 is the management port. The listening port can be any port

Question 13

On the DS, what is the difference between the apps sitting in the SPLUNK_HOME/etc/apps folder versus the SPLUNK_HOME/etc/deployment-apps?

Answer 13

The apps in the /etc/apps folder are for the Deployment Server and the apps in the /etc/deployment-apps are apps for deployment to a client

Question 14

When an app is deployed from the DS to the client, where will you find that app on the client by default?

Answer 14

Apps by default are deployed from the DS to clients in the SPLUNK_HOME/etc/apps folder

Question 15

True or False. Deployment Clients poll the DS on port 9997

Answer 15

False. Clients poll the DS on its management port (8089 by default)

Question 16

True or False. You can use the wildcards, … and * in the Whitelist and Blacklist.

Answer 16

False. The wildcards, … and * are meant for the stanzas

Question 17

True or False. The host_regex setting in inputs.conf can extract the host from thhe filename only.

Answer 17

False. It can extract the host form the path of the file

Question 18

After a file monitor is set up and is running, if you decide to change the host value, will new host value be reflected for the old data that has already been ingested?

Answer 18

No. All changes apply to the new data only. To reflect changes for you old data, you may need to delete and re-ingest the old data

Question 19

In our environment, we have a UF, an Indexer and a SH. Which instance contains the _fishbucket index?

Answer 19

Each instance will have its own local _fishbucket index.

Question 20

True or False. Persistent Queue and Memory Queue can be applied to Network as well as Scripted inputs

Answer 20

True

Question 21

Why is it a Best Practice to send data to a syslog collector that writes into a directory structure and then have a UF/HF ingest the data from the directory structure?

Answer 21

If the UF has to be restarted, the _fishbucket will prevent data loss

Question 22

True or False. An interval setting for scripted inputs can be specified in cron syntax

Answer 22

True. You can specify the interval in either number of seconds or cron syntax

Question 23

Is it possible to use the host value and not the DNS name or IP address for a TCP input? How?

Answer 23

Yes, it is possible. Under the stanza in inputs.conf set the connection_host to none and specify the host value

Question 24

True or False. You can set up a windows input using a UF on the windows server and send the data to an Indexer running on Linux

Answer 24

True

Question 25

True or False. You can collect ActiveDirectory data from a Windows Server remotely using wmi.conf

Answer 25

False. Only event logs and performance monitoring logs can be collected using wmi.conf

Question 26

True or False. Event Collector can be set up on a UF

Answer 26

False. Event collector can be set up on an Indexer or HF

Question 27

True or False. Data can be sent in json or any raw data format to the event collector

Answer 27

True

Question 28

True or False. StatsD data can be used to collect metric data using HTTPs and HEC

Answer 28

False. CollectD can be used to collect metric data using HTTPs and HEC

Question 29

True or False. Metrics data also needs values for host, source type and index

Answer 29

True

Question 30

True or False. Time extraction can be done using props.conf on the UF and HF

Answer 30

False. You will learn how to specify Time Extraction if the file contains a header line. But if it does not contain a header line, then time has to be extracted on the HF/Indexer

Question 31

True or False. Event boundaries can be defined using props.conf at the UF

Answer 31

True. You may want to define event boundaries for certain event types at the UF level. Remember the more you do at the UF level the more resources you will need

Question 32

True or False. When extracting a timestamp, if the parser finds the indexer’s OS time, it will use that as the first preference.

Answer 32

False. When all else fails, the Indexer’s OS time is used as the last preference

Question 33

True or False. sedcmd can be used to eliminate unwanted events

Answer 33

False. You have to use transforms.conf sedcmd can only be used to mask or truncate data

Question 34

True or False. When using tranforms.conf, the SOURCE_KEY is set to _raw by default

Answer 34

True. If you do not specify the SOURCE_KEY in transforms.conf, it defaults to _raw

Question 35

True or False. props.conf and transforms.conf are used to store Field Extractions, Lookups, Saved Searches and macros

Answer 35

False. They are used only for Field Extractions and Lookups

Question 36

True or False. Any user belonging to any user role has the ability to reassign any KO

Answer 36

Fals. Only users belonging to the admin role can assign any KO

Question 37

True or False. When you are using Splunk Web and select the REGEX option in the Field Extractor, it uses props.conf and transforms.conf in the background

Answer 37

False. It only uses props.conf Delimiter based extractions entries in props.conf and transforms.conf are manually created

Question 38

Which installer will you use to install the Search Head?

Answer 38

Splunk Enterprise

Question 39

When you install Splunk on a Windows OS, you also have to configure the boot-start?

Answer 39

False. You only need to do that on a Linux installation

Question 40

True or False. The default Splunk Web port is set to 8000

Answer 40

True

Question 41

True or False. Splunk provides separate licenses for metrics and events data

Answer 41

False. Metrics data draws from the same license quota as event data

Question 42

True or False. Search Heads also need an Enterprise License (or set as a slave to a License Master with an Enterprise License) even though we have not configured any inputs

Answer 42

True

Question 43

True or False. If the indexing exceeds the daily license quota in a pool, your license will go into a violation

Answer 43

False. If the indexing exceeds the allocated daily quota in a pool, an alert is raised. If it is not fixed by midnight then the alert turns into a warning. 5 or more warnings on an enforced Enterprise license or 3 warnings on a Free license, in a rolling 30-day period, is a violation

Question 44

True or False. Write permissions to an app means that the user’s role is able to modify the app

Answer 44

False. User’s role with write permission can add/delete/modify knowledge objects used in the app

Question 45

True or False. Universal forwarders don’t have a web interface, but they can still benefit from an app

Answer 45

True

Question 46

Which configuration file tells a Splunk instance to ingest data?

Answer 46

inputs.conf

Question 47

True or False. When Splunk starts, configuration files are merged together into a single run-time model for each file type

Answer 47

True

Question 48

True or False. btool shows on-disk configuration for requested file

Answer 48

True

Question 49

True or False. Splunk, by default automatically sets the frozen path when you create an index

Answer 49

False. Frozen path is not set by default. Data is set to delete by default

Question 50

True or False. When Hot Buckets roll to Warm they go to a different directory

Answer 50

False, Hot and Warm buckets stay in the same directory. When Hot buckets roll to Warm they are renamed

Question 51

True or False. _introspection index tracks system performance and Splunk resource usage data

Answer 51

True

Question 52

True or False. Frozen buckets roll to Thawed automatically

Answer 52

False. To thaw a frozen bucket you will have to start by copying the bucket directory from the frozen directory to the index’s thaweddb directory and follows the steps mentioned on slide “Restoring Frozen Bucktes”

Question 53

True or False. When creating an Index from the web, it creates a stanza in inputs.conf

Answer 53

False. It creates a stanza in indexes.conf

Question 54

True or False. When running the splunk clean command, you can set a date range for the events you want to delete.

Answer 54

False. There is no option to set a date range

Question 55

True or False. If you are installing a Search Head and an Indexer, Splunk requires an admin account on each instance

Answer 55

True

Question 56

True or False. If you want a role that is “like” user but with some capabilities turned off, you can create a new role that inherits from the user role and remove some of the capabilities

Answer 56

False. You will have to create a new role that does NOT inherit from the user role, turn on all of the same capabilities as in user role, except those you want turned off

Question 57

True or False. You can unlock a user from the CLI

Answer 57

True

Question 58

True or False. You have to configure a separate receiving port on the indexer for each universal forwarder

Answer 58

False. You do not have to create a separate port for each UF

Question 59

True or False. When you install a UF on a Windows OS, you get a GUI for the UF

Answer 59

False. Universal Forwarders do not have a GUI on Windows OS or other OSs

Question 60

The command splunk add forward-server indexer:receiving-port will create stanza(s) in which conf file?

Answer 60

outputs.conf

Question 61

True or False. When adding a Search Peer you have to enter a username and password of an account on the search peer, the account must have the edit_role capability

Answer 61

False. The account must have edit_user capability

Question 62

True or False. Knowledge bundles contain knowledge objects required by the indexers for searching

Answer 62

True

Question 63

True or False. A quarantined search peer is prevented from performing new searches but continues to attempt to service any currently running search

Answer 63

True

Question 64

As an admin, you want to look at the contents of the zip file created as a result of executing a diag. How would you check it?

Answer 64

Splunk it! Ingest the zip file on your test server into a test index

Question 65

What are the two types of clustering provided by Splunk?

Answer 65

Indexer clustering and search head clustering