Splunk Enterprise 8.0 Data Admin - LG1 Flashcards
Which installer will the System Admin use to install the heavy forwarder?
Splunk Enterprise
Which configuration file tells a Splunk instance to ingest data?
inputs.conf
True or False. The best place to add a parsing configuration on an indexer would be the SPLUNK_HOME/etc/system/local directory, as it has the highest precedence.
False. Best practice is to put the configuration in an app’s local directory (SPLUNK_HOME/etc/apps//local).
When you configure the inputs using Settings > Add Data, under what directory is the inputs.conf created?
It depends on the App Context setting on the Input Setting stage. Best practice is to put the configuration file in the local directory of your app. If you have clustering enabled, then the SPLUNK_HOME/etc/system/local may not be the highest in the precedence order.
True or False. You cannot change the sourcetype when you go through the Settings > Add Data wizard.
False. You can change the sourcetype from the dropdown. In fact, you can even create a new sourcetype.
True or False. Splunk will not create an inputs.conf file when you use the Upload option in Settings > Add Data.
True. Upload is a one-time process, so Splunk does not create an inputs.conf.
If the forwarder is set to send its data to 2 indexers at 30 seconds intervals, does it switch exactly at the 30th second?
Not always. The forwarder does not want to send half an event to indexer1 and the other half to indexer2. To avoid this situation, for example, if the forwarder is tailing a file, then it waits for an EOF or a pause in IO activity before it switches.
True or False. Turning SSL on between the forwarder and the receiver automatically compresses the feed.
True
What configuration file on the forwarder defines where data is to be forwarded to?
outputs.conf
True or False. The HF has a GUI.
True
True or False. The UF and the HF can be used to mask data before transmitting to indexers.
False. Only the HF, specifically a Splunk Enterprise instance, can perform data masking.
True or False. The default listening port is 8089.
False. 8089 is the default management port. The listening port can be any port.
On the DS, what is the difference between the apps sitting in the SPLUNK_HOME/etc/apps folder versus the SPLUNK_HOME/etc/deployment-apps?
The apps in the …/etc/apps folder are for the Deployment Server and the apps in the …/etc/deployment-apps are apps for deployment to a client.
When an app is deployed from the Deployment Server to the client, where will you find that app on the client by default?
Apps by default are deployed from the DS to the client in the SPLUNK_HOME/etc/apps folder.
True or False. Clients poll the DS on port 9997.
False. Clients poll the DS on its management port (8089 by default).
True or False. You can use the wildcards, … and * in the whitelist and blacklist.
False. The wildcards, … and * are meant for the stanzas.
True or False. The host_regex setting in inputs.conf can extract the host from the filename only.
False. It can extract the host from the path of the file.
After a file monitor is set up and is running, if you change the host value, will the new host value be reflected for already ingested data?
No. All changes apply to the new data only. To reflect changes for your old data, you need to delete and re-ingest the old data.
In our environment, we have a UF, an Indexer and a SH. Which instance contains the _thefishbucket?
Each instance will have its own local _thefishbucket
True or False. Persistent Queue and Memory Queue can be applied to Network as well as Scripted inputs.
True
Why is it a Best Practice to send data to a syslog collector that writes into a directory structure and then have a UF/HF ingest the data from the directory structure?
If the UF has to be restarted, the _fishbucket will prevent data loss.
True or False. An interval setting for scripted inputs can be specified in cron syntax.
True. You can specify the interval in either number of seconds or cron syntax.
Is it possible to use the host value and not the DNS name or IP address for a TCP input? How?
Yes, it is possible. Under the stanza in inputs.conf set the connection_host to none and specify the host value.
True or False. You can set up a windows input using a UF on the windows server and send the data to an Indexer running on Linux.
True
True or False. You can collect Active Directory data from a Windows Server remotely using wmi.conf
False. Only event logs and performance monitoring logs can be collected using wmi.conf.
True or False. Event Collector can be set up on a UF.
False. Even Collector can be set up on an Indexer or HF.
True or False. Data can be sent in json or any raw data format to the event collector
True
In the props.conf example below, what is sendmail?
[sendmail]
CHARSET=AUTO
It is a sourcetype in props.conf.
Source types are specified as a string value in the stanza without the sourcetype:: prefix.
Examine the props.conf example below. Is this an acceptable format for the stanzas?
[source::/var/…/korea/*]
CHARSET=EUC-KR
[sendm*]
CARSET=AUTO
No. You cannot use a wildcard with source types in props.conf.
True or False. Time extraction can be done using props.conf on the UF and the HF.
False. If the file does not contain a header line, then time has to be extracted on the HF/Indexer.
True or False. Event boundaries can be defined using props.conf at the UF.
True. You may want to define event boundaries for certain event types at the UF level. Remember the more you do at the UF level, the more resources you will need.
True or False. When extracting a timestamp, if the parser finds the indexer’s OS time, it will use that as the first preference.
False. When all else fails, the Indexer’s OS time is used as the last preference.
True or False. sedcmd can be used to eliminate unwanted events.
False. In order to eliminate unwanted events. you have to use transforms.conf.
sedcmd can only be used to mask or truncate data.
True or False. When using tarnsforms.conf, the SOURCE_KEY is set to _raw by default
True. If you do not specify the SOURCE_KEY in transforms.conf, it defaults to _raw.
In the props.conf file example below, what is itops?
[mysrctype]
TRANSFORMS-itops = route_errs_warns
itops is the namespace and is used to determine the sequence.
True or False. props.conf and transforms.conf are used to store Field Extractions, Lookups, Saved Searches and Macros.
False. The are used for Field Extractions and Lookups.
True or False. Any user belonging to any user role has the ability reassign any Knowledge Object (KO).
False. Only users belonging to the admin role can assign any KO.
True or False. When you are using Splunk Web and select REGEX option in the Field Extractor, it uses props.conf and transforms.conf in the background.
False. It only uses props.conf. Delimiter based extractions entries in props.conf and transforms.conf are manually created.
which setting in indexes.conf allows data retention to be controlled by time? A. maxDaysToKeep B. moveToFrozenAfter C. maxDataRetentionTime D. frozenTimePeriodInSecs
D
In case of a conflict between a whitelist and a blacklist input settings, which one is used?
A. Blacklist
B. Whitelist
C. They cancel each other out
D. Whichever is entered into the configuration first
A
In which Splunk configuration is the sedcmd USED? A. props.conf B. inputs.conf C. indexes.conf D. transforms.conf
A
Which parent directory contains the configuration files in Splunk? A. $SPLUNK_HOME/etc B. $SPLUNK_HOME/var C. $SPLUNK_HOME/conf D. $SPLUNK_HOME/default
A
