Splunk Enterprise 8.0 System Admin - LG1 Flashcards
Which installer will you use to install the Search Head?
Splunk Enterprise
True or False. When you install Splunk on a Windows OS, you also have to configure the boot-start?
False. You only need to do that on a Linux installation.
True or False. The default Splunk Web port is set to 8000.
True.
What is the default port for the splunkd process
8089
What is the $SPLUNK_HOME directory in Windows?
C:\Program Files\Splunk
What is the $SPLUNK_HOME directory in Linux?
/opt/splunk
Where is the $SPLUNK_DB located
SPLUNK_HOME/var/lib/splunk
What is the default port for the KV Store?
8191
True or False. Splunk provides separate licenses for metrics and events data.
False. Metrics data draws from the same license quota as event data.
True or False. Search Heads also need an Enterprise License (or set as a slave to License Master with an Enterprise License) even though you have not configured any inputs.
True.
True or False. If the indexing exceeds the daily license quota in a pool, your license go into a violation
False. If the indexing exceeds the allocated daily quota in a pool, an alert is raised. If it is not fixed by midnight then the alert turns into a warning. 5 or more warnings on an enforced Enterprise license or 3 warnings on a Free license, in a rolling 30-day period, is a violation.
True or False. Write permissions to an app means that the user’s role is able to modify the app.
False. User roles with write permission can add/delete/modify knowledge objects used in the app.
True or False. Universal Forwarders don’t have a web interface, but they can still benefit from an app.
True
Which configuration file tells a Splunk instance to ingest data?
inputs.conf
True or False. When Splunk starts, configuration files are merged together into a single run-time model for each file type.
True
True or False. btool shows on-disk configuration for requested file.
True
True or False. Splunk, by default, automatically sets the frozen path when you create an index.
False. Frozen path is not set by default. Data is set to delete by default.
True or False. When hot buckets roll to warm they go to a different directory.
False. Hot and warm buckets stay in the same directory by default. When hot buckets roll to warm they are renamed.
True or False. _introspection index tracks system performance and Splunk resource usage data.
True
True or False. Frozen buckets roll to Thawed automatically.
False. To thaw a frozen bucket you will have to start by copying the bucket directory from the frozen directory to the index’s thaweddb directory and….
True or False. When creating an Index from the web, it creates a stanza in inputs.conf.
False. It creates a stanza in indexes.conf.
True or False. When running the splunk clean command, you can set a date range for the events you want to delete.
False. There is no option to set a date range.
True or False. If you are installing a Search Head and an Indexer, Splunk requires an admin account on each instance.
True
True or False. If you want a role that is “like” user but with some capabilities turned off, you can create a new role that inherits from the user role and remove some of the capabilities.
False. You will have to create a new role that does NOT inherit from the user role, turn on all of the same capabilities as in user role, except those you want turned off.
