Brainscape's Knowledge GenomeTM

Browse over 1 million classes created by top students, professors, publishers, and experts.


See full index

SPLK-1003: Splunk Certified Admin > Splunk Enterprise Certified Admin > Flashcards

Splunk Enterprise Certified Admin Flashcards

1
Q

Which setting in indexes.conf allows data retention to be controlled by time?

A. maxDaysToKeep

B. moveToFrozenAfter

C. maxDataRetentionTime

D. frozenTimePeriodInSecs

A

D. frozenTimePeriodInSecs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

The universal forwarder has which capabilities when sending data? (Choose all that apply.)

A. Sending alerts

B. Compressing data

C. Obfuscating/hiding data

D. Indexer acknowledgement

A

B. Compressing data

D. Indexer acknowledgement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

A. Blacklist

B. Whitelist

C. They cancel each other out.

D. Whichever is entered into the configuration first.

A

A. Blacklist

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In which Splunk configuration is the SEDCMD used?

A. props.conf

B. inputs.conf

C. indexes.conf

D. transforms.conf

A

A. props.conf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Which of the following are supported configuration methods to add inputs on a forwarder? (Choose all that apply.)

A. CLI

B. Edit inputs.conf

C. Edit forwarder.conf

D. Forwarder Management

A

A. CLI

B. Edit inputs.conf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Which parent directory contains the configuration files in Splunk?

A. $SPLUNK_HOME/etc

B. $SPLUNK_HOME/var

C. $SPLUNK_HOME/conf

D. $SPLUNK_HOME/default

A

A. $SPLUNK_HOME/etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Which forwarder type can parse data prior to forwarding?

A. Universal forwarder

B. Heaviest forwarder

C. Hyper forwarder

D. Heavy forwarder

A

D. Heavy forwarder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which Splunk component consolidates the individual results and prepares reports in a distributed environment?

A. Indexers

B. Forwarder

C. Search head

D. Search peers

A

C. Search head

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

A. Deployer

B. Cluster master

C. Deployment server

D. Search head cluster master

A

A. Deployer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Where should apps be located on the deployment server that the clients pull from?

A. $SPLUNK_HOME/etc/apps

B. $SPLUNK_HOME/etc/search

C. $SPLUNK_HOME/etc/master-apps

D. $SPLUNK_HOME/etc/deployment-apps

A

D. $SPLUNK_HOME/etc/deployment-apps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf
[monitor:///var/log/messages]
sourcetype=syslog
index=syslog

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file:
/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
[monitor:///var/log/maillog]
sourcetype=maillog
index=syslog

Which file is now monitored?

A. /var/log/messages

B. /var/log/maillog

C. /var/log/maillog and /var/log/messages

D. none of the above

A

B. /var/log/maillog

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

In which phase of the index time process does the license metering occur?

A. Input phase

B. Parsing phase

C. Indexing phase

D. Licensing phase

A

C. Indexing phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You update a props.conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btool props list `“-debug. What will the output be?

A. A list of all the configurations on-disk that Splunk contains.

B. A verbose list of all configurations as they were when splunkd started.

C. A list of props.conf configurations as they are on-disk along with a file path from which the configuration is located.

D. A list of the current running props.conf configurations along with a file path from which the configuration was made.

A

C. A list of props.conf configurations as they are on-disk along with a file path from which the configuration is located.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When running the command shown below, what is the default path in which deploymentserver.conf is created? splunk set deploy-poll deployServer:port

A. SPLUNK_HOME/etc/deployment

B. SPLUNK_HOME/etc/system/local

C. SPLUNK_HOME/etc/system/default

D. SPLUNK_HOME/etc/apps/deployment

A

B. SPLUNK_HOME/etc/system/local

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The priority of layered Splunk configuration files depends on the file’s:

A. Owner

B. Weight

C. Context

D. Creation time

A

C. Context

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

A. Slash notation

B. Regular expression

C. Irregular expression

D. Wildcard-only expression

A

B. Regular expression

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is required when adding a native user to Splunk? (Choose all that apply.)

A. Password

B. Username

C. Full Name

D. Default app

A

A. Password

B. Username

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What are the minimum required settings when creating a network input in Splunk?

A. Protocol, port number

B. Protocol, port, location

C. Protocol, username, port

D. Protocol, IP, port number

A

A. Protocol, port number

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Which Splunk component requires a Forwarder license?

A. Search head

B. Heavy forwarder

C. Heaviest forwarder

D. Universal forwarder

A

D. Universal forwarder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Which optional configuration setting in inputs.conf allows you to selectively forward the data to specific indexer(s)?

A. _TCP_ROUTING

B. _INDEXER_LIST

C. _INDEXER_GROUP

D. _INDEXER_ROUTING

A

A. _TCP_ROUTING

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

To set up a network input in Splunk, what needs to be specified?

A. File path.

B. Username and password.

C. Network protocol and port number.

D. Network protocol and MAC address.

A

C. Network protocol and port number.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

A. Universal forwarder

B. Parsing forwarder

C. Heavy forwarder

D. Advanced forwarder

A

C. Heavy forwarder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following statements describe deployment management? (Choose all that apply.)

A. Requires an Enterprise license.

B. Is responsible for sending apps to forwarders.

C. Once used, is the only way to manage forwarders.

D. Can automatically restart the host OS running the forwarder.

A

A. Requires an Enterprise license.

B. Is responsible for sending apps to forwarders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

During search time, which directory of configuration files has the highest precedence?

A. $SPLUNK_HOME/etc/system/local

B. $SPLUNK_HOME/etc/system/default

C. $SPLUNK_HOME/etc/apps/app1/local

D. $SPLUNK_HOME/etc/users/admin/local

A

C. $SPLUNK_HOME/etc/apps/app1/local

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

Within props.conf, which stanzas are valid for data modification? (Choose all that apply.)

A. Host

B. Server

C. Source

D. Sourcetype

A

A. Host

C. Source

D. Sourcetype

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is the correct order of steps in Duo Multifactor Authentication?

A. 1. Request Login 2. Connect to SAML server 3. Duo MFA 4. Create User session 5. Authentication Granted 6. Log into Splunk

B. 1. Request Login 2. Duo MFA 3. Authentication Granted 4. Connect to SAML server 5. Log into Splunk 6. Create User session

C. 1. Request Login 2. Check authentication / group mapping 3. Authentication Granted 4. Duo MFA 5. Create User session 6. Log into Splunk

D. 1. Request Login 2. Duo MFA 3. Check authentication / group mapping 4. Create User session 5. Authentication Granted 6. Log into Splunk

A

C. 1. Request Login 2. Check authentication / group mapping 3. Authentication Granted 4. Duo MFA 5. Create User session 6. Log into Splunk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Where can scripts for scripted inputs reside on the host file system? (Choose all that apply.)

A. $SPLUNK_HOME/bin/scripts

B. $SPLUNK_HOME/etc/apps/bin

C. $SPLUNK_HOME/etc/system/bin

D. $SPLUNK_HOME/etc/apps//bin

A

A. $SPLUNK_HOME/bin/scripts

B. $SPLUNK_HOME/etc/apps/bin

C. $SPLUNK_HOME/etc/system/bin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

How does the Monitoring Console monitor forwarders?

A. By pulling internal logs from forwarders.

B. By using the forwarder monitoring add-on.

C. With internal logs forwarded by forwarders.

D. With internal logs forwarded by deployment server.

A

C. With internal logs forwarded by forwarders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What options are available when creating custom roles? (Choose all that apply.)

A. Restrict search terms.

B. Whitelist search terms.

C. Limit the number of concurrent search jobs.

D. Allow or restrict indexes that can be searched.

A

A. Restrict search terms.

C. Limit the number of concurrent search jobs.

D. Allow or restrict indexes that can be searched.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Which of the following are supported options when configuring optional network inputs?

A. Metadata override, sender filtering options, network input queues (quantum queues)

B. Metadata override, sender filtering options, network input queues (memory/persistent queues)

C. Filename override, sender filtering options, network output queues (memory/persistent queues)

D. Metadata override, receiver filtering options, network input queues (memory/persistent queues)

A

B. Metadata override, sender filtering options, network input queues (memory/persistent queues)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is the default character encoding used by Splunk during the input phase?

A. UTF-8

B. UTF-16

C. EBCDIC

D. ISO 8859

A

A. UTF-8

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Which of the following enables compression for universal forwarders in outputs.conf?

A. [udpout:mysplunk_indexer11] compression=true

B. [tcpout] defaultGroup=my_indexers compressed=true

C. /opt/splunkforwarder/bin/splunk enable compression

D. [tcpount:my_indexers] server=mysplunk_indexer1:9997, mysplunk_indexer2:9997 decompression=false

A

B. [tcpout] defaultGroup=my_indexers compressed=true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

User role inheritance allows what to be inherited from the parent role? (Choose all that apply.)

A. Parents

B. Capabilities

C. Index access

D. Search history

A

B. Capabilities

C. Index access

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Which of the following statements apply to directory inputs? (Choose all that apply.)

A. All discovered text files are consumed.

B. Compressed files are ignored by default.

C. Splunk recursively traverses through the directory structure.

D. When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

A

A. All discovered text files are consumed.

C. Splunk recursively traverses through the directory structure.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

How would you configure your distsearch.conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_server_group=HOUSTON

A. [distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089, houston2:8089

B. [distributedSearch] servers =nyc1, nyc2, houston1, houston2 [distributedSearch:NYC] default = false servers = nyc1, nyc2 [distributedSearch:HOUSTON] default = false servers = houston1, houston2

C. [distributedSearch] servers =nyc1:8089, nyc2:8089, houston1:8089, houston2:8089 [distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089, houston2:8089

D. [distributedSearch] servers =nyc1:8089; nyc2:80893; houston1:8089; houston2:8089 [distributedSearch:NYC] default = false servers = nyc1:8089; nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:80897706; houston2:80898350

A

C. [distributedSearch] servers =nyc1:8089, nyc2:8089, houston1:8089, houston2:8089 [distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089, houston2:8089

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

Which of the following is a valid distributed search group?

A. [distributedSearch:Paris] default = false servers = server1, server2

B. [searchGroup:Paris] default = false servers = server1:8089, server2:8089

C. [searchGroup:Paris] default = false servers = server1:9997, server2:9997

D. [distributedSearch:Paris] default = false servers = server1:8089; server2:8089

A

D. [distributedSearch:Paris] default = false servers = server1:8089; server2:8089

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

Local user accounts created in Splunk store passwords in which file?

A. $SPLUNK_HOME/etc/passwd

B. $SPLUNK_HOME/etc/authentication

C. $SPLUNK_HOME/etc/users/passwd.conf

D. $SPLUNK_HOME/etc/users/authentication.conf

A

A. $SPLUNK_HOME/etc/passwd

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

For single line event sourcetypes, it is most efficient to set SHOULD_LINEMERGE to what value?

A. True

B. False

C.

D. Newline Character

A

B. False

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Which Splunk component does a search head primarily communicate with?

A. Indexer

B. Forwarder

C. Cluster master

D. Deployment server

A

A. Indexer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

Which layers are involved in Splunk configuration file layering? (Choose all that apply.)

A. App context

B. User context

C. Global context

D. Forwarder context

A

A. App context

B. User context

C. Global context

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Which of the following are methods for adding inputs in Splunk? (Choose all that apply.)

A. CLI

B. Splunk Web

C. Editing inputs.conf

D. Editing monitor.conf

A

A. CLI

B. Splunk Web

C. Editing inputs.conf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

Which of the following authentication types requires scripting in Splunk?

A. ADFS

B. LDAP

C. SAML

D. RADIUS

A

D. RADIUS

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

A. A token-based HTTP input that is secure and scalable and that requires the use of forwarders.

B. A token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

C. An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

D. A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

A

B. A token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What is the difference between the two wildcards … and * for the monitor stanza in inputs.conf?

A. … is not supported in monitor stanzas.

B. There is no difference, they are interchangeable and match anything beyond directory boundaries.

C. * matches anything in that specific directory path segment, whereas … recurses through subdirectories as well.

D. … matches anything in that specific directory path segment, whereas * recurses through subdirectories as well.

A

C. * matches anything in that specific directory path segment, whereas … recurses through subdirectories as well.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
45
Q

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

A. License data

B. Metrics data

C. Internal Splunk data

D. Internal Windows logs

A

B. Metrics data

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
46
Q

Which valid bucket types are searchable? (Choose all that apply.)

A. Hot buckets

B. Cold buckets

C. Warm buckets

D. Frozen buckets

A

A. Hot buckets

B. Cold buckets

C. Warm buckets

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
47
Q

How do you remove missing forwarders from the Monitoring Console?

A. By restarting Splunk.

B. By rescanning active forwarders.

C. By reloading the deployment server.

D. By rebuilding the forwarder asset table.

A

D. By rebuilding the forwarder asset table.

48
Q

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

A. Any OS platform.

B. Linux platform only.

C. Windows platform only.

D. None of the above.

A

A. Any OS platform.

49
Q

What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events?

A. REGEX, DEST, FORMAT

B. REGEX, SRC_KEY, FORMAT

C. REGEX, DEST_KEY, FORMAT

D. REGEX, DEST_KEY, FORMATTING

A

C. REGEX, DEST_KEY, FORMAT

50
Q

Which of the following indexes come pre-configured with Splunk Enterprise? (Choose all that apply.)

A. _licence

B. _internal

C. _external

D. _thefishbucket

A

B. _internal

D. _thefishbucket

51
Q

How often does Splunk recheck the LDAP server?

A. Every 5 minutes.

B. Each time a user logs in.

C. Each time Splunk is restarted.

D. Varies based on LDAP_refresh setting.

A

B. Each time a user logs in.

52
Q

Where are license files stored?

A. $SPLUNK_HOME/etc/secure

B. $SPLUNK_HOME/etc/system

C. $SPLUNK_HOME/etc/licenses

D. $SPLUNK_HOME/etc/apps/licenses

A

C. $SPLUNK_HOME/etc/licenses

53
Q

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

A. To ensure that hot buckets are still open for writers and have not been forced to roll to a cold state.

B. To ensure that configuration files have not been tampered with for auditing and/or legal purposes.

C. To ensure that user passwords have not been tampered with for auditing and/or legal purposes.

D. To ensure that data has not been tampered with for auditing and/or legal purposes.

A

D. To ensure that data has not been tampered with for auditing and/or legal purposes.

54
Q

Which Splunk component performs indexing and responds to search requests from the search head?

A. Forwarder

B. Search peer

C. License master

D. Search head cluster

A

B. Search peer

55
Q

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

A. App Class

B. Client Class

C. Server Class

D. Forwarder Class

A

C. Server Class

56
Q

In this sourcetype definition the MAX_TIMESTAMP_LOOKAHEAD is missing. Which value would fit best?
[sshd_syslog]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}

SHOULD_LINEMERGE = false -

TRUNCATE = 0 -
Event example:
2018-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366

A. MAX_TIMESTAMP_LOOKAHEAD = 5

B. MAX_TIMESTAMP_LOOKAHEAD = 10

C. MAX_TIMESTAMP_LOOKAHEAD = 20

D. MAX_TIMESTAMP_LOOKAHEAD = 30

A

D. MAX_TIMESTAMP_LOOKAHEAD = 30

57
Q

Which of the following are required when defining an index in indexes.conf? (Choose all that apply.)

A. coldPath

B. homePath

C. frozenPath

D. thawedPath

A

A. coldPath

B. homePath

D. thawedPath

58
Q

Which of the following apply to how distributed search works? (Choose all that apply.)

A. The search head dispatches searches to the peers.

B. The search peers pull the data from the forwarders.

C. Peers run searches in parallel and return their portion of results.

D. The search head consolidates the individual results and prepares reports.

A

A. The search head dispatches searches to the peers.

C. Peers run searches in parallel and return their portion of results.

D. The search head consolidates the individual results and prepares reports.

59
Q

What hardware attribute would you need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

A. Disk

B. CPUs

C. Memory

D. Network interface cards

A

B. CPUs

60
Q

With authentication methods are natively supported within Splunk Enterprise? (Choose all that apply.)

A. LDAP

B. SAML

C. RADIUS

D. Duo Multifactor Authentication

A

A. LDAP

B. SAML

D. Duo Multifactor Authentication

61
Q

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

A. props.conf

B. inputs.conf

C. rawdata.conf

D. transforms.conf

A

A. props.conf

D. transforms.conf

62
Q

What conf file needs to be edited to set up distributed search groups?

A. props.conf

B. search.conf

C. distsearch.conf

D. distibutedsearch.conf

A

C. distsearch.conf

63
Q

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

A. index=main

B. index=test

C. index=summary

D. index=_internal

A

D. index=_internal

64
Q

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that apply.)

A. Index once.

B. Monitor interval.

C. On-demand monitor.

D. Continuously monitor.

A

A. Index once.

D. Continuously monitor.

65
Q

Which is a valid stanza for a network input?

A. [udp://172.16.10.1:9997] connection = dns sourcetype = dns

B. [any://172.16.10.1:10001] connection_host = ip sourcetype = web

C. [tcp://172.16.10.1:9997] connection_host = web sourcetype = web

D. [tcp://172.16.10.1:10001] connection_host = dns sourcetype = dns

A

D. [tcp://172.16.10.1:10001] connection_host = dns sourcetype = dns

66
Q

Which additional component is required for a search head cluster?

A. Deployer

B. Cluster Master

C. Monitoring Console

D. Management Console

A

A. Deployer

67
Q

When are knowledge bundles distributed to search peers?

A. After a user logs in.

B. When Splunk is restarted.

C. When adding a new search peer.

D. When a distributed search is initiated.

A

D. When a distributed search is initiated.

68
Q

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint information for that file?

A. _audit

B. _checkpoint

C. _introspection

D. _thefishbucket

A

D. _thefishbucket

69
Q

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component would the fishbucket need to be reset in order to reindex the data?

A. Indexer

B. Forwarder

C. Search head

D. Deployment server

A

B. Forwarder

70
Q

How can native authentication be disabled in Splunk?

A. Remove the $SPLUNK_HOME/etc/passwd file

B. Create an empty $SPLUNK_HOME/etc/passwd file

C. Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf

D. Set nativeAuthentication=false in authentication.conf

A

B. Create an empty $SPLUNK_HOME/etc/passwd file

71
Q

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require multiple indexers. Following best practices, which types of
Splunk component instances are needed?

A. Indexers, search head, universal forwarders, license master

B. Indexers, search head, deployment server, universal forwarders

C. Indexers, search head, deployment server, license master, universal forwarder

D. Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder

A

C. Indexers, search head, deployment server, license master, universal forwarder

72
Q

Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)

A. inputs.conf

B. monitor.conf

C. outputs.conf

D. forwarder.conf

A

A. inputs.conf

C. outputs.conf

https://docs.splunk.com/Documentation/Forwarder/8.0.5/Forwarder/Configuretheuniversalforwarder

73
Q

On the deployment server, administrators can map clients to server classes using client filters. Which of the following statements is accurate?

A. The blacklist takes precedence over the whitelist.

B. The whitelist takes precedence over the blacklist.

C. Wildcards are not supported in any client filters.

D. Machine type filters are applied before the whitelist and blacklist

A

A. The blacklist takes precedence over the whitelist.

74
Q

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

A. props.conf

B. inputs.conf

C. outputs.conf

D. collections.conf

A

C. outputs.conf

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

75
Q

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

A. Enable indexer acknowledgment.

B. Enable forwarder acknowledgment.

C. splunk check-integrity -index

D. index=_internal component=ACK | stats count by host

A

A. Enable indexer acknowledgment.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck
“While HEC has precautions in place to prevent data loss, it’s impossible to completely prevent such an occurrence, especially in the event of a network failure or hardware crash. This is where indexer acknolwedgment comes in.”

76
Q

What is the valid option for a [monitor] stanza in inputs.conf?

A. enabled

B. datasource

C. server_name

D. ignoreOlderThan

A

D. ignoreOlderThan

77
Q

Which of the following is a benefit of distributed search?

A. Peers run search in sequence.

B. Peers run search in parallel.

C. Resilience from indexer failure.

D. Resilience from search head failure.

A

B. Peers run search in parallel.

https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch

78
Q

The CLI command splunk add forward-server indexer: will create stanza(s) in which configuration file?

A. inputs.conf

B. indexes.conf

C. outputs.conf

D. servers.conf

A

C. outputs.conf

https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configureforwardingwithoutputs.conf

79
Q

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs the following search over the last 24 hours: index=*
What field can the administrator check to see the data distribution?

A. host

B. index

C. linecount

D. splunk_server

A

D. splunk_server

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields

80
Q

Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678.
Which configuration file and stanza pair will mask possible SSNs in the log events?

A. props.conf [mask-SSN] REX = (?ms)^(.)\d{3}-?\d{2}-?(\d{4}.*)$” FORMAT = $1###-##-$2 KEY = _raw

B. props.conf [mask-SSN] REGEX = (?ms)^(.)\d{3}-?\d{2}-?(\d{4}.*)$” FORMAT = $1###-##-$2 DEST_KEY = _raw

C. transforms.conf [mask-SSN] REX = (?ms)^(.)\d{3}-?\d{2}-?(\d{4}.*)$” FORMAT = $1###-##-$2 DEST_KEY = _raw

D. transforms.conf [mask-SSN] REGEX = (?ms)^(.)\d{3}-?\d{2}-?(\d{4}.*)$” FORMAT = $1###-##-$2 DEST_KEY = _raw

A

D. transforms.conf [mask-SSN] REGEX = (?ms)^(.)\d{3}-?\d{2}-?(\d{4}.*)$” FORMAT = $1###-##-$2 DEST_KEY = _raw

because transforms.conf is the right configuration file to state the regex expression.
https://docs.splunk.com/Documentation/Splunk/8.1.0/Admin/Transformsconf

81
Q

Where are deployment server apps mapped to clients?

A. Apps tab in forwarder management interface or clientapps.conf.

B. Clients tab in forwarder management interface or deploymentclient.conf.

C. Server Classes tab in forwarder management interface or serverclass.conf.

D. Client Applications tab in forwarder management interface or clientapps.conf.

A

C. Server Classes tab in forwarder management interface or serverclass.conf

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Useserverclass.conf
“Use serverclass.conf to define server classes”

82
Q

Which Splunk configuration file is used to enable data integrity checking?

A. props.conf

B. global.conf

C. indexes.conf

D. data_integrity.conf

A

C. indexes.conf

https://docs.splunk.com/Documentation/Splunk/8.1.2/Security/Dataintegritycontrol

83
Q

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the index?

A. Buy a bigger Splunk license.

B. Add 2.5 TB each day for the next 5 days.

C. Add all 10 TB in a single 24 hour period.

D. Add 200 GB of historical data each day for 50 days.

A

C. Add all 10 TB in a single 24 hour period.

84
Q

After how many warnings within a rolling 30-day period will a license violation occur with an enforced Enterprise license?

A. 1

B. 3

C. 4

D. 5

A

D. 5

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

“Enterprise Trial license. If you get five or more warnings in a rolling 30 days period, you are in violation of your license. Dev/Test license. If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. Developer license. If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. BUT for Free license. If you get three or more warnings in a rolling 30 days period, you are in violation of your license.”

85
Q

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting up Duo for Multi-Factor Authentication in Splunk
Enterprise?

A. Duo Administrator

B. LDAP Administrator

C. SAML Administrator

D. Trio Administrator

A

A. Duo Administrator

https://duo.com/docs/splunk

86
Q

When does a warm bucket roll over to a cold bucket?

A. When Splunk is restarted.

B. When the maximum warm bucket age has been reached.

C. When the maximum warm bucket size has been reached.

D. When the maximum number of warm buckets is reached.

A

D. When the maximum number of warm buckets is reached.

https://wiki.splunk.com/Deploy:BucketRotationAndRetention

“Bucket Stages. A bucket rolls from one stage to another depending on certain conditions: Hot -> Warm -> Cold -> Frozen (-> Thawed). From hot to warm if its size reaches a limit ‘maxDataSize’ or its lifetime is older than ‘maxHotSpanSecs’, or by using a manual command to roll the buckets. From warm to cold; once the number of maxWarmDBCount is reached, the older will be rolled.”

87
Q

In a distributed environment, which Splunk component is used to distribute apps and configurations to the other Splunk instances?

A. Indexer

B. Deployer

C. Forwarder

D. Deployment server

A

D. Deployment server

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations
First line says it all: “The deployment server distributes deployment apps to clients.”

88
Q

How is a remote monitor input distributed to forwarders?

A. As an app.

B. As a forward.conf file.

C. As a monitor.conf file.

D. As a forwarder monitor profile.

A

A. As an app.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents

89
Q

How is data handled by Splunk during the input phase of the data ingestion process?

A. Data is treated as streams.

B. Data is broken up into events.

C. Data is initially written to disk.

D. Data is measured by the license meter.

A

A. Data is treated as streams.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

“In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys.”

90
Q

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

A. Upload option

B. Forward option

C. Monitor option

D. Download option

A

A. Upload option

91
Q

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

A. Use Local Windows host monitoring.

B. Use Windows Remote Inputs with WMI.

C. Use Local Windows network monitoring.

D. Use an index with an Index Data Type of Metrics.

A

B. Use Windows Remote Inputs with WMI.

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

92
Q

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

A. Map Users

B. Map Groups

C. Map LDAP Inheritance

D. Map LDAP to Active Directory

A

B. Map Groups

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb

93
Q

Which feature of Splunk’s role configuration can be used to aggregate multiple roles intended for groups of users?

A. Linked roles

B. Grantable roles

C. Role federation

D. Role inheritance

A

D. Role inheritance

https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles
“Role inheritance: You can have a role inherit certain properties from one or more existing roles.”

94
Q

Which of the following is the use case for the deployment server feature of Splunk?

A. Managing distributed workloads in a Splunk environment.

B. Automating upgrades of Splunk forwarder installations on endpoints.

C. Orchestrating the operations and scale of a containerized Splunk deployment.

D. Updating configuration and distributing apps to processing components, primarily forwarders.

A

D. Updating configuration and distributing apps to processing components, primarily forwarders.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver
“The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.”

95
Q

When running a real-time search, search results are pulled from which Splunk component?

A. Heavy forwarders and seach peers

B. Heavy forwarders

C. Search heads

D. Search peers

A

D. Search peers

https://docs.splunk.com/Splexicon:Searchpeer

“search peer is a splunk platform instance that responds to search requests from a search head. The term “search peer” is usally synonymous with the indexer role in a distributed search topology. However, other instance types also have access to indexed data, particularly internal diagnostic data, and thus function as search peers when they respond to search requests for that data.”

96
Q

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309
Event:
[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

A. SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g

B. SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g

C. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g

D. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

A

D. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata
Scrolling down to the section titled “Define the sed script in props.conf shows the correct syntax of an example which validates that the number/character /1 immediately preceded the /g

97
Q

Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

A. It requires a separate channel provided by the client.

B. It is configured the same as indexer
acknowledgement used to protect in-flight data.

C. It can be enabled at the global setting level.

D. It stores status information on the Splunk server.

A

A. It requires a separate channel provided by the client.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/AboutHECIDXAck - Section: About channels and sending data

98
Q

What action is required to enable forwarder management in Splunk Web?

A. Navigate to Settings > Server Settings > General Settings, and set an App server port.

B. Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

C. Create a server class and map it to a client in 
SPLUNK_HOME/etc/system/local/serverclass.conf.

D. Place an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

A

C. Create a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver
“To activate deployment server, you must place at least one app into %SPLUNK_HOME%\etc\deployment-apps on the host you want to act as deployment server. In this case, the app is the “send to indexer”

99
Q

Which of the following is accurate regarding the input phase?

A. Breaks data into events with timestamps.

B. Applies event-level transformations.

C. Fine-tunes metadata.

D. Performs character encoding.

A

D. Performs character encoding.

Quoting the Splunk reference URL https://docs.splunk.com/Documentation/Splunk/latest/Deploy/Datapipeline

“The data pipeline segments in depth. INPUT - In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks it into 64K blocks, and annotates each block with some metadata keys. The keys can also include values that are used internally, such as the character encoding of the data stream, and values that control later processing of the data, such as the index into which the events should be stored. PARSING Annotating individual events with metadata copied from the source-wide keys. Transforming event data and metadata according to regex transform rules.”

100
Q

When indexing a data source, which fields are considered metadata?

A. source, host, time

B. time, sourcetype, source

C. host, raw, sourcetype

D. sourcetype, source, host

A

D. sourcetype, source, host

“metadata (source, sourcetype, host, timestamp, punct, etc.)”

101
Q

What is the default value of LINE_BREAKER?

A. \r\n

B. ([\r\n]+)

C. \r+\n+

D. (\r\n+)

A

B. ([\r\n]+)

“Default is any sequence of new lines and carriage returns: ([\r\n]+)”

102
Q

Which of the following monitor inputs stanza headers would match all of the following files?

/var/log/www1/secure.log

/var/log/www/secure.l

/var/log/www/logs/secure.logs

/var/log/www2/secure.log

A. [monitor:///var/log/…/secure.*]

B. [monitor:///var/log/www1/secure.*]

C. [monitor:///var/log/www1/secure.log]

D. [monitor:///var/log/www/secure.]

A

A. [monitor:///var/log/…/secure.*]

“The ellipsis wildcard recursesthrough directories and subdirectories to match.”

“The asterisk wildcard matches anything in that specific directory path segment but does not go beyond that segment in the path. Normally it should be used at the end of a path.”

103
Q

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

A. bucketdb

B. frozendb

C. colddb

D. db

A

C. colddb

D. db

https://wiki.splunk.com/Deploy:BucketRotationAndRetention
found the values colddb and db only

104
Q

The LINE_BREAKER attribute is configured in which configuration file?

A. props.conf

B. indexes.conf

C. inputs.conf

D. transforms.conf

A

A. props.conf

105
Q

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

A. channelTTL

B. connectionTimeout

C. autoLBFrequency

D. secsInFailureInterval

A

C. autoLBFrequency

106
Q

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

A. followTail = -45d

B. ignore = 45d

C. includeNewerThan = 45d

D. ignoreOlderThan = 45d

A

D. ignoreOlderThan = 45d

https://community.splunk.com/t5/Getting-Data-In/ignoreOlderThan-in-inputs-conf/m-p/358307

“When a monitoring is setup with ignoreOlderThan attribute, it’ll exclude all the files which were last modified earlier than the set value.”

107
Q

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A. 90 days

B. 60 days

C. 7 days

D. 14 days

A

B. 60 days

Comes with product; Valid for 60 days, after which another license type must be activated
Page 42 Splunk Enterprise System Administration

108
Q

Consider a company with a Splunk distributed environment in production. The Compliance Department wants to start using Splunk; however, they want to ensure that no one can see their reports or any other knowledge objects. Which Splunk Component can be added to implement this policy for the new team?

A. Indexer

B. Deployment server

C. Universal forwarder

D. Search head

A

D. Search head

109
Q

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

A. Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps, can automatically restart remote Splunk instances.

B. Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

C. Allows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

D. Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

A

A. Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps, can automatically restart remote Splunk instances.

110
Q

Which Splunk forwarder has a built-in license?

A. Light forwarder

B. Heavy forwarder

C. Universal forwarder

D. Cloud forwarder

A

C. Universal forwarder

111
Q

What happens when the same username exists in Splunk as well as through LDAP?

A. Splunk user is automatically deleted from authentication.conf.

B. LDAP settings take precedence.

C. Splunk settings take precedence.

D. LDAP user is automatically deleted from authentication.conf.

A

C. Splunk settings take precedence.

112
Q

Which of the following types of data count against the license daily quota?

A. Replicated data

B. splunkd logs

C. Summary index data

D. Windows internal logs

A

D. Windows internal logs

113
Q

In which phase do indexed extractions in props.conf occur?

A. Inputs phase

B. Parsing phase

C. Indexing phase

D. Searching phase

A

A. Inputs phase

114
Q

Which of the following statements describes how distributed search works?

A. Forwarders pull data from the search peers.

B. Search heads store a portion of the searchable data.

C. The search head dispatches searches to the search peers.

D. Search results are replicated within the indexer cluster.

A

C. The search head dispatches searches to the search peers.

https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Configuredistributedsearch

“To activate distributed search, you add search peers, or indexers, to a Splunk Enterprise instance that you desingate as a search head. You do this by specifying each search peer manually.”

115
Q

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations found in props.conf to be validated all through the UI?

A. Apps

B. Search

C. Data preview

D. Forwarder inputs

A

C. Data preview

Watch this video
http://www.splunk.com/view/SP-CAAAGPR

116
Q

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

A. It does not encrypt the certificate password.

B. SSL automatically compresses the feed by default.

C. It requires that the forwarder be set to
compressed=true.

D. It requires that the receiver be set to compression=true.

A

B. SSL automatically compresses the feed by default.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/AboutsecuringyourSplunkconfigurationwithSSL

“You can turn on SSL encryption using the default certificate to provide encryption and compression. However, communication using the default certificate does not provide secure authentication, as the certificate password is supplied with every installation of Splunk software. The default certificates are set to expire threee years after initial startup, and forwarder to indexer communications will fail at this point.”

SPLK-1003: Splunk Certified Admin (1 decks)

Brainscape helps you reach your goals faster, through stronger study habits.
© 2024 Bold Learning Solutions. Terms and Conditions