Splunk Certified Admin - Online1 Flashcards

Question 1

Q

<p>Which authentication methods are natively supported within Splunk Enterprise? (Select all that apply)
A. LDAP
B. SAML
C. RADIUS
D. Duo Multifactor Authentication</p>

Answer

A

A B C D

Question 2

Q

<p>Which of the following are required when defining an index in indexes.conf? (Select all that apply.)
A. coldPath
B. homePath
C. frozenPath
D. thawedPath</p>

Answer

A

A B D

Question 3

Q

Which of the following apply to how distributed search works? (Select all that apply.)
A. The search head dispatches searches to the peers.
B. The search peers pull the data from the forwarders.
C. Peers run searches in parallel and return their portion of results.
D. The search head consolidates the individual results and prepares reports.

Answer

A

A C D

Question 4

Q

<p>What hardware attribute would you need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?
A. Disk
B. CPUs
C. Memory
D. Network interface cards</p>

Question 5

Q

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?
A. To ensure that hot buckets are still open for writers and have not been forced to roll to a cold state.
B. To ensure that configuration files have not been tampered with for auditing and/or legal purposes.
C. To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
D. To ensure that data has not been tampered with for auditing and/or legal purposes.

Question 6

Q

<p>Which Splunk component performs indexing and responds to search requests from the search head?
A. Forwarder
B. Search peer
C. License master
D. Search head cluster</p>

Question 7

Q

<p>When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?
A. App Class
B. Client Class
C. Server Class
D. Forwarder Class</p>

Question 8

Q

<p>In this sourcetype definition the MAX_TIMESTAMP_LOOKAHEAD is missing. Which value would fit best?
[sshd_syslog]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z
LINE_BREAKER = ([rn]+)d{4}-d{2}-d{2} d{2}:d{2}:d{2}
SHOUD_LINEMERGE = false TRUNCATE = 0
Event example:
2018-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366
A. MAX_TIMESTAMP_LOOKAHEAD = 5
B. MAX_TIMESTAMP_LOOKAHEAD = 10
C. MAX_TIMESTAMP_LOOKAHEAD = 20
D. MAX_TIMESTAMP_LOOKAHEAD = 30</p>

Question 9

Q

<p>Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?
A. Any OS platform.
B. Linux platform only.
C. Windows platform only.
D. None of the above.</p>

Question 10

Q

<p>What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events?
A. REGEX, DEST, FORMAT
B. REGEX, SRC_KEY, FORMAT
C. REGEX, DEST_KEY, FORMAT
D. REGEX, DEST_KEY, FORMATTING</p>

Question 11

Q

<p>Which of the following indexes come pre-configured with Splunk Enterprise? (Select all that apply.)
A. _licence
B. _internal
C. _external
D. _thefishbucket</p>

Answer

A

B D

Question 12

Q

How often does Splunk recheck the LDAP server?
A. Every 5 minutes.
B. Each time a user logs in.
C. Each time Splunk is restarted.
D. Varies based on LDAP_refresh setting.

Question 13

Q

<p>Where are license files stored?
A. $SPLUNK_HOME/etc/secure
B. $SPLUNK_HOME/etc/system
C. $SPLUNK_HOME/etc/licenses
D. $SPLUNK_HOME/etc/apps/licenses</p>

Question 14

Q

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?
A. A token-based HTTP input that is secure and scalable and that requires the use of forwarders.
B. A token-based HTTP input that is secure and scalable and that does not require the use of forwarders.
C. An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.
D. A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Question 15

Q

What is the difference between the two wildcards … and * for the monitor stanza in inputs.conf?
A. … is not supported in monitor stanzas.
B. There is no difference, they are interchangeable and match anything beyond directory boundaries.
C. * matches anything in that specific directory path segment, whereas … recurses through subdirectories as well.
D. … matches anything in that specific directory path segment, whereas * recurses through subdirectories as well.

Question 16

Q

<p>What type of data is counted against the Enterprise license at a fixed 150 bytes per event?
A. License data
B. Metrics data
C. Internal Splunk data
D. Internal Windows logs</p>

Question 17

Q

<p>Which valid bucket types are searchable? (Select all that apply.)
A. Hot buckets
B. Cold buckets
C. Warm buckets
D. Frozen buckets</p>

Answer

A

A B C

Question 18

Q

How do you remove missing forwarders from the Monitoring Console?
A. By restarting Splunk.
B. By rescanning active forwarders.
C. By reloading the deployment server.
D. By rebuilding the forwarder asset table.

Question 19

Q

<p>Which Splunk component does a search head primarily communicate with?
A. Indexer
B. Forwarder
C. Cluster master
D. Deployment server</p>

Question 20

Q

<p>Which layers are involved in Splunk configuration file layering? (Select all that apply.)
A. App context
B. User context
C. Global context
D. Forwarder context</p>

Answer

A

A B C

Question 21

Q

<p>Which of the following are methods for adding inputs in Splunk? (Select all that apply.)
A. CLI
B. Splunk Web
C. Editing inputs.conf
D. Editing monitor.conf</p>

Answer

A

A B C

Question 22

Q

<p>Which of the following authentication types requires scripting in Splunk?
A. ADFS
B. LDAP
C. SAML
D. RADIUS</p>

Question 23

Q

Which of the following statements apply to directory inputs? (Select all that apply.)
A. All discovered text files are consumed.
B. Compressed files are ignored by default.
C. Splunk recursively traverses through the directory structure.
D. When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer

A

A C

Question 24

Q

How would you configure your distsearch.conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_server_group=HOUSTON
A. [distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089, houston2:8089
B. [distributedSearch] servers =nyc1, nyc2, houston1, houston2 [distributedSearch:NYC] default = false servers = nyc1, nyc2 [distributedSearch:HOUSTON] default = false servers = houston1, houston2
C. [distributedSearch] servers =nyc1:8089, nyc2:8089, houston1:8089, houston2:8089
[distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089, houston2:8089
D. [distributedSearch] servers =nyc1:8089; nyc2:8089; houston1:8089; houston2:8089
[distributedSearch:NYC] default = false servers = nyc1:8089; nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089; houston2:8089

Question 25

Q

Which of the following is a valid distributed search group?
A. [distributedSearch:Paris] default = false servers = server1, server2
B. [searchGroup:Paris] default = false servers = server1:8089, server2:8089
C. [searchGroup:Paris] default = false servers = server1:9997, server2:9997
D. [distributedSearch:Paris] default = false servers = server1:8089, server2:8089

Question 26

Q

Local user accounts created in Splunk store passwords in which file?
A. $SPLUNK_HOME/etc/passwd
B. $SPLUNK_HOME/etc/authentication
C. $SPLUNK_HOME/etc/users/passwd.conf
D. $SPLUNK_HOME/etc/users/authentication.conf

Question 27

Q

<p>For single line event sourcetypes, it is most efficient to set SHOULD_LINEMERGE to what value?
A. True
B. False
C. 
D. Newline Character</p>

Question 28

Q

Which of the following are supported options when configuring optional network inputs?
A. Metadata override, sender filtering options, network input queues (quantum queues)
B. Metadata override, sender filtering options, network input queues (memory/persistent queues)
C. Filename override, sender filtering options, network output queues (memory/persistent queues)
D. Metadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer

A

B. Metadata override, sender filtering options, network input queues (memory/persistent queues)

Metadata override’s refer to host name based on DNS, IP or pre-defined value.

Sender filtering options refer to blocking or accepting a network input based on the senders IPv4, IPv6, CIDR block or DNS name.

Network input queues refer to controlling how recieved data is gathered before it is sent to the indexer.
queueSize default is 500kb.
Optionaly persistentQueueSize can be defined so that network input data can be stored on the disk, for events where the indexers are not available, otherwise the data will be droped when queueSize is reached but unable to be sent to the indexer.

Question 29

Q

<p>What is the default character encoding used by Splunk during the input phase?
A. UTF-8
B. UTF-16
C. EBCDIC
D. ISO 8859</p>

Question 30

Q

Which of the following enables compression for universal forwarders in outputs.conf?
A. [udpout:mysplunk_indexer11] compression=true
B. [tcpout] defaultGroup=my_indexers compressed=true
C. /opt/splunkforwarder/bin/splunk enable compression
D. [tcpount:my_indexers] server=mysplunk_indexer1:9997, mysplunk_indexer2:9997 decompression=false

Question 31

Q

<p>User role inheritance allows what to be inherited from the parent role? (Select all that apply.)
A. Parents
B. Capabilities
C. Index access
D. Search history</p>

Answer

A

B C

Question 32

Q

<p>Within props.conf, which stanzas are valid for data modification? (Select all that apply.)
A. Host
B. Server
C. Source
D. Sourcetype</p>

Answer

A

A C D

Question 33

Q

<p>What is the correct order of steps in Duo Multifactor Authentication?
A. 1. Request Login
2. Connect to SAML server
3. Duo MFA
4. Create User session
5. Authentication Granted
6. Log into Splunk
B. 1. Request Login
2. Duo MFA
3. Authentication Granted
4. Connect to SAML server
5. Log into Splunk
6. Create User session
C. 1. Request Login
2. Check authentication / group mapping
3. Authentication Granted
4. Duo MFA
5. Create User session
6. Log into Splunk
D. 1. Request Login
2. Duo MFA
3. Check authentication / group mapping
4. Create User session
5. Authentication Granted
6. Log into Splunk</p>

Question 34

Q

<p>Where can scripts for scripted inputs reside on the host file system? (Select all that apply.)
A. $SPLUNK_HOME/bin/scripts
B. $SPLUNK_HOME/etc/apps/bin
C. $SPLUNK_HOME/etc/system/bin
D. $SPLUNK_HOME/etc/apps//bin</p>

Answer

A

A C D

Question 35

Q

How does the Monitoring Console monitor forwarders?
A. By pulling internal logs from forwarders.
B. By using the forwarder monitoring add-on.
C. With internal logs forwarded by forwarders.
D. With internal logs forwarded by deployment server.

Answer

A

C. The Monitoring Console does not query forwarders directly for data, but rather gets its data from the indexers that the forwarders connect to.

Question 36

Q

What options are available when creating custom roles? (Select all that apply.)
A. Restrict search terms.
B. Whitelist search terms.
C. Limit the number of concurrent search jobs.
D. Allow or restrict indexes that can be searched.

Answer

A

A C D

Question 37

Q

Which of the following statements describe deployment management? (Select all that apply.)
A. Requires an Enterprise license.
B. Is responsible for sending apps to forwarders.
C. Once used, is the only way to manage forwarders.
D. Can automatically restart the host OS running the forwarder.

Answer

A

A B

Question 38

Q

During search time, which directory of configuration files has the highest precedence?
A. $SPLUNK_HOME/etc/system/local
B. $SPLUNK_HOME/etc/system/default
C. $SPLUNK_HOME/etc/apps/app1/local
D. $SPLUNK_HOME/etc/users/admin/local

Answer

A

D

| (Actually it should be $SPLUNK_HOME/etc/users/admin/app1/local)

Question 39

Q

<p>Which Splunk forwarder type allows parsing of data before forwarding to an indexer?
A. Universal forwarder
B. Parsing forwarder
C. Heavy forwarder
D. Advanced forwarder</p>

Question 40

Q

<p>What is required when adding a native user to Splunk? (Select all that apply.)
A. Password
B. Username
C. Full Name
D. Default app</p>

Answer

A

A B

Question 41

Q

<p>What are the minimum required settings when creating a network input in Splunk?
A. Protocol, port number
B. Protocol, port, location
C. Protocol, username, port
D. Protocol, IP, port number</p>

Question 42

Q

<p>Which Splunk component requires a Forwarder license?
A. Search head
B. Heavy forwarder
C. Heaviest forwarder
D. Universal forwarder</p>

Question 43

Q

<p>Which optional configuration setting in inputs.conf allows you to selectively forward the data to specific indexer(s)?
A. _TCP_ROUTING
B. _INDEXER_LIST
C. _INDEXER_GROUP
D. _INDEXER_ROUTING</p>

Question 44

Q

<p>To set up a network input in Splunk, what needs to be specified?
A. File path.
B. Username and password.
C. Network protocol and port number.
D. Network protocol and MAC address.</p>

Question 45

Q

You update a props.conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btool props list --debug. What will the output be?
A. A list of all the configurations on-disk that Splunk contains.
B. A verbose list of all configurations as they were when splunkd started.
C. A list of props.conf configurations as they are on-disk along with a file path from which the configuration is located.
D. A list of the current running props.conf configurations along with a file path from which the configuration was made.

Question 46

Q

<p>When running the command shown below, what is the default path in which deploymentclient.conf is created? splunk set deploy-poll deployServer:port
A. SPLUNK_HOME/etc/deployment
B. SPLUNK_HOME/etc/system/local
C. SPLUNK_HOME/etc/system/default
D. SPLUNK_HOME/etc/apps/deployment</p>

Question 47

Q

<p>The priority of layered Splunk configuration files depends on the file’s:
A. Owner
B. Weight
C. Context
D. Creation time</p>

Question 48

Q

<p>When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?
A. Slash notation
B. Regular expression
C. Irregular expression
D. Wildcard-only expression</p>

Question 49

Q

<p>Which Splunk component consolidates the individual results and prepares reports in a distributed environment?
A. Indexers
B. Forwarder
C. Search head
D. Search peers</p>

Question 50

Q

<p>Which Splunk component distributes apps and certain other configuration updates to search head cluster members?
A. Deployer
B. Cluster master
C. Deployment server
D. Search head cluster master</p>

Question 51

Q

<p>Where should apps be located on the deployment server that the clients pull from?
A. $SPLUNK_HOME/etc/apps
B. $SPLUNK_HOME/etc/search
C. $SPLUNK_HOME/etc/master-apps
D. $SPLUNK_HOME/etc/deployment-apps</p>

Question 52

Q

This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf
[monitor:///var/log/messages] sourcetype=syslog index=syslog
A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file:
/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
[monitor:///var/log/maillog] sourcetype=maillog index=syslog
Which file is now monitored?
A. /var/log/messages
B. /var/log/maillog
C. /var/log/maillog and /var/log/messages
D. none of the above

Question 53

Q

<p>Which of the following are supported configuration methods to add inputs on a forwarder? (Select all that apply.)
A. CLI
B. Edit inputs.conf
C. Edit forwarder.conf
D. Forwarder Management</p>

Answer

A

A B D

Question 54

Q

<p>Which parent directory contains the configuration files in Splunk?
A. $SPLUNK_HOME/etc
B. $SPLUNK_HOME/var
C. $SPLUNK_HOME/conf
D. $SPLUNK_HOME/default</p>

Question 55

Q

<p>Which setting in indexes.conf allows data retention to be controlled by time?
A. maxDaysToKeep
B. moveToFrozenAfter
C. maxDataRetentionTime
D. frozenTimePeriodInSecs</p>

Question 56

Q

<p>The universal forwarder has which capabilities when sending data? (Select all that apply.)
A. Sending alerts
B. Compressing data
C. Obfuscating/hiding data
D. Indexer acknowledgement</p>

Answer

A

B D

Question 57

Q

In case of a conflict between a whitelist and a blacklist input setting, which one is used?
A. Blacklist
B. Whitelist
C. They cancel each other out.
D. Whichever is entered into the configuration first.

Question 58

Q

<p>In which Splunk configuration is the SEDCMD used?
A. props.conf
B. inputs.conf
C. indexes.conf
D. transforms.conf</p>

Brainscape's Knowledge GenomeTM

Splunk Certified Admin - Online1 Flashcards

Brainscape's Knowledge Genome^TM