Splunk Enterprise 8.0 Data Admin - LG1

Question 1

Which installer will the System Admin use to install the heavy forwarder?

Answer 1

Splunk Enterprise

Question 2

Which configuration file tells a Splunk instance to ingest data?

Answer 2

inputs.conf

Question 3

True or False. The best place to add a parsing configuration on an indexer would be the SPLUNK_HOME/etc/system/local directory, as it has the highest precedence.

Answer 3

False. Best practice is to put the configuration in an app’s local directory (SPLUNK_HOME/etc/apps//local).

Question 4

When you configure the inputs using Settings > Add Data, under what directory is the inputs.conf created?

Answer 4

It depends on the App Context setting on the Input Setting stage. Best practice is to put the configuration file in the local directory of your app. If you have clustering enabled, then the SPLUNK_HOME/etc/system/local may not be the highest in the precedence order.

Question 5

True or False. You cannot change the sourcetype when you go through the Settings > Add Data wizard.

Answer 5

False. You can change the sourcetype from the dropdown. In fact, you can even create a new sourcetype.

Question 6

True or False. Splunk will not create an inputs.conf file when you use the Upload option in Settings > Add Data.

Answer 6

True. Upload is a one-time process, so Splunk does not create an inputs.conf.

Question 7

If the forwarder is set to send its data to 2 indexers at 30 seconds intervals, does it switch exactly at the 30th second?

Answer 7

Not always. The forwarder does not want to send half an event to indexer1 and the other half to indexer2. To avoid this situation, for example, if the forwarder is tailing a file, then it waits for an EOF or a pause in IO activity before it switches.

Question 8

True or False. Turning SSL on between the forwarder and the receiver automatically compresses the feed.

Answer 8

True

Question 9

What configuration file on the forwarder defines where data is to be forwarded to?

Answer 9

outputs.conf

Question 10

True or False. The HF has a GUI.

Answer 10

True

Question 11

True or False. The UF and the HF can be used to mask data before transmitting to indexers.

Answer 11

False. Only the HF, specifically a Splunk Enterprise instance, can perform data masking.

Question 12

True or False. The default listening port is 8089.

Answer 12

False. 8089 is the default management port. The listening port can be any port.

Question 13

On the DS, what is the difference between the apps sitting in the SPLUNK_HOME/etc/apps folder versus the SPLUNK_HOME/etc/deployment-apps?

Answer 13

The apps in the …/etc/apps folder are for the Deployment Server and the apps in the …/etc/deployment-apps are apps for deployment to a client.

Question 14

When an app is deployed from the Deployment Server to the client, where will you find that app on the client by default?

Answer 14

Apps by default are deployed from the DS to the client in the SPLUNK_HOME/etc/apps folder.

Question 15

True or False. Clients poll the DS on port 9997.

Answer 15

False. Clients poll the DS on its management port (8089 by default).

Question 16

True or False. You can use the wildcards, … and * in the whitelist and blacklist.

Answer 16

False. The wildcards, … and * are meant for the stanzas.

Question 17

True or False. The host_regex setting in inputs.conf can extract the host from the filename only.

Answer 17

False. It can extract the host from the path of the file.

Question 18

After a file monitor is set up and is running, if you change the host value, will the new host value be reflected for already ingested data?

Answer 18

No. All changes apply to the new data only. To reflect changes for your old data, you need to delete and re-ingest the old data.

Question 19

In our environment, we have a UF, an Indexer and a SH. Which instance contains the _thefishbucket?

Answer 19

Each instance will have its own local _thefishbucket

Question 20

True or False. Persistent Queue and Memory Queue can be applied to Network as well as Scripted inputs.

Answer 20

True

Question 21

Why is it a Best Practice to send data to a syslog collector that writes into a directory structure and then have a UF/HF ingest the data from the directory structure?

Answer 21

If the UF has to be restarted, the _fishbucket will prevent data loss.

Question 22

True or False. An interval setting for scripted inputs can be specified in cron syntax.

Answer 22

True. You can specify the interval in either number of seconds or cron syntax.

Question 23

Is it possible to use the host value and not the DNS name or IP address for a TCP input? How?

Answer 23

Yes, it is possible. Under the stanza in inputs.conf set the connection_host to none and specify the host value.

Question 24

True or False. You can set up a windows input using a UF on the windows server and send the data to an Indexer running on Linux.

Answer 24

True

Question 25

True or False. You can collect Active Directory data from a Windows Server remotely using wmi.conf

Answer 25

False. Only event logs and performance monitoring logs can be collected using wmi.conf.

Question 26

True or False. Event Collector can be set up on a UF.

Answer 26

False. Even Collector can be set up on an Indexer or HF.

Question 27

True or False. Data can be sent in json or any raw data format to the event collector

Answer 27

True

Question 28

In the props.conf example below, what is sendmail?

[sendmail]
CHARSET=AUTO

Answer 28

It is a sourcetype in props.conf.

Source types are specified as a string value in the stanza without the sourcetype:: prefix.

Question 29

Examine the props.conf example below. Is this an acceptable format for the stanzas?

[source::/var/…/korea/*]
CHARSET=EUC-KR

[sendm*]
CARSET=AUTO

Answer 29

No. You cannot use a wildcard with source types in props.conf.

Question 30

True or False. Time extraction can be done using props.conf on the UF and the HF.

Answer 30

False. If the file does not contain a header line, then time has to be extracted on the HF/Indexer.

Question 31

True or False. Event boundaries can be defined using props.conf at the UF.

Answer 31

True. You may want to define event boundaries for certain event types at the UF level. Remember the more you do at the UF level, the more resources you will need.

Question 32

True or False. When extracting a timestamp, if the parser finds the indexer’s OS time, it will use that as the first preference.

Answer 32

False. When all else fails, the Indexer’s OS time is used as the last preference.

Question 33

True or False. sedcmd can be used to eliminate unwanted events.

Answer 33

False. In order to eliminate unwanted events. you have to use transforms.conf.
sedcmd can only be used to mask or truncate data.

Question 34

True or False. When using tarnsforms.conf, the SOURCE_KEY is set to _raw by default

Answer 34

True. If you do not specify the SOURCE_KEY in transforms.conf, it defaults to _raw.

Question 35

In the props.conf file example below, what is itops?

[mysrctype]
TRANSFORMS-itops = route_errs_warns

Answer 35

itops is the namespace and is used to determine the sequence.

Question 36

True or False. props.conf and transforms.conf are used to store Field Extractions, Lookups, Saved Searches and Macros.

Answer 36

False. The are used for Field Extractions and Lookups.

Question 37

True or False. Any user belonging to any user role has the ability reassign any Knowledge Object (KO).

Answer 37

False. Only users belonging to the admin role can assign any KO.

Question 38

True or False. When you are using Splunk Web and select REGEX option in the Field Extractor, it uses props.conf and transforms.conf in the background.

Answer 38

False. It only uses props.conf. Delimiter based extractions entries in props.conf and transforms.conf are manually created.

Question 39

which setting in indexes.conf allows data retention to be controlled by time?
A. maxDaysToKeep
B. moveToFrozenAfter
C. maxDataRetentionTime
D. frozenTimePeriodInSecs

Answer 39

D

Question 40

In case of a conflict between a whitelist and a blacklist input settings, which one is used?
A. Blacklist
B. Whitelist
C. They cancel each other out
D. Whichever is entered into the configuration first

Answer 40

A

Question 41

In which Splunk configuration is the sedcmd USED?
A. props.conf
B. inputs.conf
C. indexes.conf
D. transforms.conf

Answer 41

A

Question 42

Which parent directory contains the configuration files in Splunk?
A. $SPLUNK_HOME/etc
B. $SPLUNK_HOME/var
C. $SPLUNK_HOME/conf
D. $SPLUNK_HOME/default

Answer 42

A