Splunk Enterprise 8.0 System Admin - LG1

Question 1

Which installer will you use to install the Search Head?

Answer 1

Splunk Enterprise

Question 2

True or False. When you install Splunk on a Windows OS, you also have to configure the boot-start?

Answer 2

False. You only need to do that on a Linux installation.

Question 3

True or False. The default Splunk Web port is set to 8000.

Answer 3

True.

Question 4

What is the default port for the splunkd process

Answer 4

8089

Question 5

What is the $SPLUNK_HOME directory in Windows?

Answer 5

C:\Program Files\Splunk

Question 6

What is the $SPLUNK_HOME directory in Linux?

Answer 6

/opt/splunk

Question 7

Where is the $SPLUNK_DB located

Answer 7

SPLUNK_HOME/var/lib/splunk

Question 8

What is the default port for the KV Store?

Answer 8

8191

Question 9

True or False. Splunk provides separate licenses for metrics and events data.

Answer 9

False. Metrics data draws from the same license quota as event data.

Question 10

True or False. Search Heads also need an Enterprise License (or set as a slave to License Master with an Enterprise License) even though you have not configured any inputs.

Answer 10

True.

Question 11

True or False. If the indexing exceeds the daily license quota in a pool, your license go into a violation

Answer 11

False. If the indexing exceeds the allocated daily quota in a pool, an alert is raised. If it is not fixed by midnight then the alert turns into a warning. 5 or more warnings on an enforced Enterprise license or 3 warnings on a Free license, in a rolling 30-day period, is a violation.

Question 12

True or False. Write permissions to an app means that the user’s role is able to modify the app.

Answer 12

False. User roles with write permission can add/delete/modify knowledge objects used in the app.

Question 13

True or False. Universal Forwarders don’t have a web interface, but they can still benefit from an app.

Answer 13

True

Question 14

Which configuration file tells a Splunk instance to ingest data?

Answer 14

inputs.conf

Question 15

True or False. When Splunk starts, configuration files are merged together into a single run-time model for each file type.

Answer 15

True

Question 16

True or False. btool shows on-disk configuration for requested file.

Answer 16

True

Question 17

True or False. Splunk, by default, automatically sets the frozen path when you create an index.

Answer 17

False. Frozen path is not set by default. Data is set to delete by default.

Question 18

True or False. When hot buckets roll to warm they go to a different directory.

Answer 18

False. Hot and warm buckets stay in the same directory by default. When hot buckets roll to warm they are renamed.

Question 19

True or False. _introspection index tracks system performance and Splunk resource usage data.

Answer 19

True

Question 20

True or False. Frozen buckets roll to Thawed automatically.

Answer 20

False. To thaw a frozen bucket you will have to start by copying the bucket directory from the frozen directory to the index’s thaweddb directory and….

Question 21

True or False. When creating an Index from the web, it creates a stanza in inputs.conf.

Answer 21

False. It creates a stanza in indexes.conf.

Question 22

True or False. When running the splunk clean command, you can set a date range for the events you want to delete.

Answer 22

False. There is no option to set a date range.

Question 23

True or False. If you are installing a Search Head and an Indexer, Splunk requires an admin account on each instance.

Answer 23

True

Question 24

True or False. If you want a role that is “like” user but with some capabilities turned off, you can create a new role that inherits from the user role and remove some of the capabilities.

Answer 24

False. You will have to create a new role that does NOT inherit from the user role, turn on all of the same capabilities as in user role, except those you want turned off.

Question 25

True or False. You can unlock a user from the CLI.

Answer 25

True

Question 26

True or False. You have to configure a separate receiving port on the indexer for each universal forwarder.

Answer 26

False. You do not have to create a separate port for each UF.

Question 27

True or False. When a UF is installed on Windows, the instance provides a GUI.

Answer 27

False. Universal Forwarder do not have a GUI on Windows OS or any other OS.

Question 28

Running splunk add forward-server ,indexer:port> creates stanzas in which .conf file?

Answer 28

outputs.conf

Question 29

True or False. When adding a Search Peer you must enter a username and password of an account on the search peer, with edit_roles capability.

Answer 29

False. The account must have edit_user capability.

Question 30

True or False. Knowledge bundles contain the knowledge objects required by the indexers for searching.

Answer 30

True

Question 31

True or False. A quarantined search peer is prevented from performing new searches but continues to attempt to service any currently running search.

Answer 31

True

Question 32

True or False. By default the role “user” does not have write permissions within the search app.

Answer 32

True