Splunk System Admin Flashcards
Do Splunk “Data” Admins or Splunk “System” Admins install, manage, and configure Splunk components?
System Admins
Do Splunk “Data” Admins or Splunk “System” Admins works with users requesting new data sources?
Data Admins
Input, parse, index, search are the four ____ of Splunk
stages
All functions are in a single Splunk instance in this type of deployment:
a. distributed
b. basic
c. standalone
c. standalone
This type of Splunk deployment is usually used for testing, proof of concept, personal use, and learning:
a. distributed
b. basic
c. standalone
c. standalone
This type of Splunk deployment is similar to the standalone configuration, but manages the deployment of forwarder configurations.
a. distributed
b. basic
c. standalone
b. basic
With this type of Splunk deployment, indexers are added to handle more inputs and searching. Search heads are also added to handle more searching.
a. distributed
b. basic
c. standalone
a. distributed
With this type of Splunk deployment, forwarder configurations with are managed with a dedicated deployment server.
a. distributed
b. basic
c. standalone
a. distributed
This Splunk component allows users to submit search requests using SPL, distributes search requests to indexers, consolidates results and renders visualizations of results, and stores search-time knowledge objects (such as field extractions, alerts, and dashboards).
a. forwarders
b. indexers
c. search heads
d. deployment server
c. search heads
This Splunk component receives incoming data from forwarders, indexes and stores data in Splunk indexes, and searches data in response to requests from search heads.
a. forwarders
b. indexers
c. search heads
d. deployment server
b. indexers
Which Splunk component is responsible for parsing data into events?
a. forwarders
b. indexers
c. search heads
d. deployment server
b. indexers
This Splunk component is responsible for monitoring configured inputs and forwarding the data to the indexers, requires minimal resources, and is typically installed on the machines that produce data.
a. forwarders
b. indexers
c. search heads
d. deployment server
a. forwarders
Are forwarders responsible for searching, indexing/parsing, input, or management?
input
Which Splunk component is responsible for managing the deployment clients in a Splunk Enterprise?
a. forwarders
b. indexers
c. search heads
d. deployment server
d. deployment server
This Splunk component acts as a centralized configuration manager for any number of deployment clients and requires running on a Splunk Enterprise license.
a. forwarders
b. indexers
c. search heads
d. deployment server
d. deployment server
What are the default network ports for both the Splunk Enterprise and universal forwarders?
a. 8191
b. 8000
c. 8089
d. 8065
c. 8089
What is the default Splunk Enterprise network port for Splunk Web?
a. 8191
b. 8000
c. 8089
d. 8065
b. 8000
What is the default Splunk Enterprise network port for the Web app-server proxy?
a. 8191
b. 8000
c. 8089
d. 8065
d. 8065
What is the default Splunk Enterprise network port for KV Store?
a. 8191
b. 8000
c. 8089
d. 8065
a. 8191
True or False. Splunk Web, Web app-server proxy, and KV Store do not have default network ports for universal forwarders.
True
True or False. S2S receiving port(s), network/http input(s), index replication port(s), and search replication port(s) have default network ports.
False
NTP or ____ ___ ___ ensures that there is a standardized time configuration on Splunk servers. This is important because clock skew between hosts can affect the timestamp of events, and search results.
Network Time Protocol
The ____ process spawns and controls Splunk child processes such as web proxy, KV store, and introspection services. It also accesses, processes, and indexes incoming data, and handles all search requests and returns results.
splunkd
Splunk web ____ settings are used to set server configuration and server options.
server
/opt/splunk/var/lib/splunk is the path to the existing _____ in a Splunk environment.
indexes
What is the minimum amount of free disk space required for an index? (Note: If the disk space is less than the minimum amount, Splunk pauses indexing)
5000
Do you use the Splunk Enterprise installer, or the Universal Forwarder installer to install indexers, search heads, the license master, the deployment server, the heavy forwarder, and the cluster manager?
Splunk Enterprise installer
Do you use the Splunk Enterprise installer, or the Universal Forwarder installer to install your deployment client?
Universal forwarder installer
The ___ ____ (MC) in Splunk is an admin-only app used to monitor and investigate data Splunk collects about itself, such as performance and resource usage.
Monitoring Console
Is the Monitoring Console configured or un-configured by default in standalone mode? Can you enable it?
un-configured
yes
Monitoring Console Alerts Setup provides preconfigured platform alerts. Are they enabled or disabled by default?
disabled
The four types of Splunk _____ are Enterprise trial, Enterprise, Free, and Forwarder.
licenses
This type of Splunk license comes with the product, is valid for 60 days, requires activation of another license type after the 60 day period, and has a 500 MB/day limit.
a. free license
b. Enterprise trial license
c. forwarder license
d. Enterprise license
b. Enterprise trial license
This type of Splunk license is purchased from Splunk, sets the daily indexing volume amount, has full functionality for indexing, search head, deployment server, etc., and allows searching even if you are in a license violation period.
a. free license
b. Enterprise trial license
c. forwarder license
d. Enterprise license
d. Enterprise license
This type of Splunk license disables alerts, scheduled searches, authentication, clustering, distributed search, summarization, and forwarding to non-Splunk servers. It also allows 500 MB/day of indexing and forwarding to other Splunk instances.
a. free license
b. Enterprise trial license
c. forwarder license
d. Enterprise license
a. free license
This Splunk license applies to non-indexing forwarders sets a server up as a heavy forwarder, and allows authentication, but no indexing.
a. free license
b. Enterprise trial license
c. forwarder license
d. Enterprise license
c. forwarder license
____ occur when indexing exceeds the allocated daily quota in a pool, they’re viewed in Splunk Web > Messages (as a “pool warning”), and may eventually result in a Warning.
a. alert
b. violation
c. warning
a. alert
_____ occurs if an alert is triggered, and license capacity is not increased by midnight (by adding new license or moving capacity from another pool).
a. alert
b. violation
c. warning
c. warning
_____ occurs after 5 warnings on an Enterprise license in a rolling 30-day period and requires a reset key from Splunk Support or Sales Team.
a. alert
b. violation
c. warning
b. violation
True or False. These instances DO count against the daily license quota of Splunk:
–replicated data (Index Clusters)
– summary indexes
– Splunk internal logs (_internal, _audit, etc. indexes)
–Structural components of an index (metadata, tsidx, etc.)
False. They DO NOT count against the daily license quota of Splunk.
True or False. These instances DO NOT count against the daily license quota of Splunk:
– data from all sources that that are indexed
– events: measured as the data (full size) that flows through the parsing pipeline per day
– metrics: measurement capped at 150 bytes per metric event
False. They DO count against the daily license quota of Splunk.
____ _____ allows licenses to be subdivided and assigned to indexer groups. For example, a total stack of 500GB, would be distributed differently in a single pool of indexers vs. a multiple pool environment.
license pooling
There are two types of pricing when it comes to Splunk licensing: Ingest-Based and Infrastructure-Based. ____ ____ is based on data volume and is the traditional licensing method.
Ingest-Based
There are two types of pricing when it comes to Splunk licensing: Ingest-Based and Infrastructure-Based. ____ ____ is based on compute capacity and provides more control over searching and indexing.
Infrastructure-Based
Splunk ____ gathers data and provides insight into instances. You can get information on server specs (i.e. OS version, current open connections) and the Spluk platform (i.e. contents of SPLUNK_HOME/etc such as app configurations and Splunk log files).
diag
True or False. Splunk provides separate licenses for metrics andevents data.
False. Metrics data draws from the same license quota as event data.
True or False. Search Heads also need an Enterprise License (directly orthrough a License Master) even without configuring any inputs.
True
True or False. If the indexing exceeds the daily license quota in a pool,your license will go into a violation.
False. Indexing that exceeds the allocated daily quota in a pool is analert. An alert not fixed by midnight turns into a warning.
Splunk ____ are a collection of configuration files, scripts, web assets, etc. They may be focused on specific types of data, vendor, OS, industry, or business needs.
apps
Splunk ____ are installed under SPLUNK_HOME/etc/apps.
apps
This type of Splunk app permission allows a user to see an app and use it, add knowledge objects (KOs), and modify KOs they own.
a. write permissions
b. read permissions
b. read permissions
This type of Splunk app permission allows a user to share KOs they own and delete KOs used in the app.
a. read permissions
b. write permissions
b. write permissions
A Splunk ___- ____ is a reusable component that supports other apps. It is also often used for data collection, and DOES NOT contain Splunk Web UI components (reports or dashboards).
add-on
____ add-ons (TAs) are specialized add-ons that help collect, transform, and normalize data feeds from specific sources.
Technology
True or False. Write permissions to an app means that the user’srole is able to modify the app.
False. User roles with write permission can add/delete/modify knowledge objects used in the app.
True or False. Universal forwarders don’t have a web interface, butthey can still benefit from an app.
True
____ files govern an aspect of Splunk functionality. They are saved under SPLUNK_HOME/etc.
configuration
Do configuration text files generally use a case-sensitive [stanza] and have a format of attribute = value?
Yes
There are three ways that you can edit Splunk ____. In Splunk Web, using Splunk CLI, or editing .conf files.
configurations
What components of the Splunk environment generally use the outputs.conf configuration file? Choose all that apply.
a. indexer
b. forwarder
c. search head
b. forwarder
c. search head
Which configuration file is responsible for where to forward data?
a. outputs.conf
b. inputs.conf
c. props.conf
a. outputs.conf
This Splunk component uses props.conf for search-time field extractions, lookups, etc. However, ____ use props.conf for parsing, and ____ use props.conf for limited parsing. (Note: All answers below are used. Place them in the correct blanks above)
a. indexer
b. forwarder
c. search head
c. search head
a. indexer
b. forwarder
Which configuration file is responsible for what data is collected?
a. outputs.conf
b. inputs.conf
c. props.conf
b. inputs.conf
Inputs.conf configuration files in ___ ___ collect internal Splunk log data. ____ inputs.conf configuration files collect data AND determine which ports to listen to. Inputs.conf configuration files on ____ collect production data. (Note: All answers below are used. Place them in the correct blanks above)
a. indexer
b. forwarder
c. search head
c. search head
a. indexer
b. forwarder
_____ configuration files come with Splunk out of the box. ____ configuration files do not.
a. local
b. default
b. default
a. local
____ configuration files are overwritten when updates apply. They SHOULD NOT be modified. On the other hand, ____ configuration files keep changes. Changes are preserved when updates occur. Also, this is the only file of the two that you should modify, and the settings override default settings.
a. local
b. default
b. default
a. local
Configuration files fall into either of two file contexts –App/User Context or Global Context. Global Context configuration files are used during ____ time, while App/User Context configuration files are used during ____ time.
a. index time
b. search time
a. index time
b. search time
Which three configuration files are examples of Global Context files?
a. macros.conf
b. savedsearches.conf
c. outputs.conf
d. props.conf
e. inputs.conf
c. outputs.conf
d. props.conf
e. inputs.conf
Which three configuration files are examples of App/User Context files?
a. macros.conf
b. savedsearches.conf
c. outputs.conf
d. props.conf
e. inputs.conf
a. macros.conf
b. savedsearches.conf
d. props.conf
Which use case below is an example of a Global Context configuration use case? Which case is an example of a App/User Context configuration use case?
a. a private report in the Search app
b. a network input to collect syslog data
b. a network input to collect syslog data
a. a private report in the Search app
_____ ____ configuration are background tasks, include input, parsing, and indexing, and are user independent tasks. ____ ____ configuration files are connected to user-related activity, and include searching and search time processing. (Answer: Choose from either Global Context or App/User Context)
Global Context, App/User Context
The Splunk ____ shows on-disk configuration for a requested file. It’s useful for checking configuration scope and permission rules.
tool
Which configuration file tells a Splunk instance to ingest data?
inputs.conf
True or False. btoolshows on-disk configuration for requested file.
True
True or False. The best place to add a parsing configuration on an indexer would be the SPLUNK_HOME/etc/system/local directory, as it has the highest precedence.
False. The best place to put the configuration is in an app’s local directory (SPLUNK_HOME/etc/apps//local).
_____ store input data as events. main, and __internal are examples of these that are included by default with the Splunk application.
indexes
____ can be used to limit the scope of a search, and allow the ability to limit access by user.
indexes
____ are found in the following location: SPLUNK_DB (SPLUNK_HOME/var/lib/splunk)
indexes
This type of index contains network data.
a. security
b. proxy
c. web
b. proxy
_internal, _audit, _introspection, _thefishbucket, summary, and main are all examples of _____ indexes.
preconfigured
This preconfigured index consists of Splunk’s own logs and metrics.
a. summary
b. _introspection
c. _internal
d. main
e. _thefishbucket
f. _audit
c. _internal
This preconfigured index stores Splunk audit trails and other optional auditing information.
a. summary
b. _introspection
c. _internal
d. main
e. _thefishbucket
f. _audit
f. _audit
This preconfigured index tracks system performance, Splunk resource usage data, and provides the Monitoring Console (MC) with performance data.
a. summary
b. _introspection
c. _internal
d. main
e. _thefishbucket
f. _audit
b. _introspection
This preconfigured index contain checkpoint information for file monitoring inputs.
a. summary
b. _introspection
c. _internal
d. main
e. _thefishbucket
f. _audit
e. _thefishbucket
This preconfigured index is the default index for summary indexing system.
a. summary
b. _introspection
c. _internal
d. main
e. _thefishbucket
f. _audit
a. summary
This preconfigured index is the default index for inputs and is in the defaultdb directory.
a. summary
b. _introspection
c. _internal
d. main
e. _thefishbucket
f. _audit
d. main
____ are part of an index that stores events, and are directories containing a set of raw data.
buckets
What is the default index size?
500GB
____ are a set of measurements containing timestamp, metric name, value, and a dimension.
metrics
True or False. Splunk, by default, automatically sets the frozen path when you create an index.
False. Frozen path is not set by default. Data is set to delete bydefault.
True or False. When hot buckets roll to warm they go to a differentdirectory.
False, Hot and warm buckets stay in the same directory by default. When hot buckets roll to warm they are renamed.
True or False. _introspectionindex tracks system performanceand Splunk resource usage data.
True
By default, Splunk ____ are stored in SPLUNK_HOME/var/lib/splunk/
indexes
For undesired events that are in an _____, you can either let the events age out normally, use the delete command to make the unwanted events not show up in searches, or run the splunkcleancommand to delete ALL events from an ____. (Note: Same answer for both blanks)
index
When there are undesired events in an index, you have one of three options. The first option is to let an event age out normally. The second option prevents “deleted” events from showing in future searches by using the ____ command. The third option permanently destroys events and is done so by using the ____ command.
delete, clean
A ____ allows Splunk to track monitored input files, and contains file metadata which identifies a pointer to the file, and a pointer to where Splunk last read the file.
fishbucket
A fish bucket contains a ____ (which is a pointer to a file), and a ____ (which is a pointer showing where Splunk last left off indexing in a file).
head, tail
To restore a frozen bucket, it will need to be ____ by copying the bucket directory from the frozen path to the “thaweddb” directory.
thawed
True or False. Thawing a frozen bucket counts against your Splunk license.
False. It does not count against your Splunk license.
True or False. Frozen buckets roll to Thawed automatically.
False. To thaw a frozen bucket you will have to start by copying thebucket directory from the frozen directory to the index’s thaweddbdirectory and follow additional steps.
True or False. When creating an Index from the web, it creates astanza in inputs.conf.
False. It creates a stanza in indexes.conf
True or False. When running the splunkcleancommand, youcan set a date range for the events you want to delete.
False. There is no option to do that.
Which Splunk user role deals with Splunk administration and searching of all indexes?
a. Web users
b. Security users
c. Splunk admins
c. Splunk admins
Which Splunk user role deals with deals with proxy and security indexes as well as searching the Web?
a. Web users
b. Security users
c. Splunk admins
b. Security users
Which Splunk user role deals with searching the Web index?
a. Web users
b. Security users
c. Splunk admins
a. Web users
There are multiple roles listed in the Splunk interface. This role has most capabilities and can create custom roles.
a. user
b. splunk-system-role
c. admin
d. can_delete
e. power
c. admin
There are multiple roles listed in the Splunk interface. In this role you can edit shared objects, saved searches, and alerts, tag events, and so on.
a. user
b. splunk-system-role
c. admin
d. can_delete
e. power
e. power
There are multiple roles listed in the Splunk interface. In this role you can create, edit, and run your own saved searches, edit your own preferences, create and edit event types, and do similar tasks.
a. user
b. splunk-system-role
c. admin
d. can_delete
e. power
a. user
There are multiple roles listed in the Splunk interface. In this role you can delete by keyword (necessary when using the delete search operator).
a. user
b. splunk-system-role
c. admin
d. can_delete
e. power
d. can_delete
There are multiple roles listed in the Splunk interface. This role allows Splunk system services to run without a defined user context.
a. user
b. splunk-system-role
c. admin
d. can_delete
e. power
b. splunk-system-role
This .conf file contains the configuration of Splunk roles. It should not be modified from the SPLUNK_HOME/etc/system/default/ (or _____ directory). Instead, it should be modified from the _____ directories.
authorize.conf
default
local
You can either use the “_____” tab to create a copy of an existing role in Splunk, or use the “____” selection in Splunk Web
inheritance
clone
The failed login attempt threshold is configured in the ____ Management section of Splunk Web. You can use the “____” menu under Settings > Users, then Edit to unlock users.
password
unlock
True or False. Inheritance does allow inherited capabilities to be turned off.
False. Inheritance does NOT allow inherited capabilities to be turned off.
If you wanted to turn off certain capabilities when copying user role, would you use inheritance or clone?
Clone. Inheritance does NOT allow inherited capabilities to be turned off.
True or False. If you are installing a Search Head and an Indexer, Splunk requires an admin account on each instance.
True
True or False. You can unlock a user from the CLI.
True
____ gather data and send it to indexers over the network.
Forwarders
____ run on dedicated servers, listen on receiving ports, and store and index data.
Indexers
What is the receiving port number that indexers listen on when receiving data?
9997
Which type of forwarder does NOT have GUI, gathers data from a host, does NOT parse data, and is designed to run on production servers? A heavy forwarder or a universal forwarder?
universal forwarder
What two configuration files need to be set up on a universal forwarder? What configuration file needs to be set up on an indexer?
universal forwarder: inputs.conf, outputs.conf
indexer: inputs.conf
This component of a Splunk environment is the built-in tool for centrally managing configuration packages as apps for clients. It also includes Forwarder Management as the graphical user interface.
deployment server
True or False. You have to configure a separate receiving port onthe indexer for each universal forwarder.
False. You do not have to create a separate port for each UF.
True or False. When a UF is installed on Windows, the instanceprovides a GUI.
False. Universal Forwarders do not have a GUI on Windows OS orany other OS.
Running splunk add forward-server creates stanzas in which .conf file?
outputs.conf
____ ____ are distributed to indexers (search peers) by the search head when a distributed search is initiated. They also contain the knowledge objects required by indexers for searching.
knowledge bundles
The “Search Activity: Instance” menu in the ____ ____ shows the status of peers (indexers) in an environment.
Monitoring Console
Median resource usage (Memory, CPU), top 10 memory-consuming searches, aggregate search runtime or all things that show the status of ____ in the Monitoring Console.
peers (or indexers)
Search peer ______ is used when an indexer experiences performance issues. It prevents an indexer from participating in future searches, only affects the relationship between indexer and search head, and allows live troubleshooting by not stopping the indexer.
quarantine
Each search head in a Splunk environment handles approximately ___ - ____ simultaneous searches that can either be ad hoc or scheduled searches.
a. 5 -10
b. 3-5
c. 8-12
d. 10-15
c. 8-12
Search heads can either be ____ (meaning they don’t share knowledge objects), or ____ (meaning they share a common set of knowledge objects.
a. dedicated
b. clustered
a. dedicated
b. clustered
Which type of search head (dedicated or clustered) is only used by a team of users with unique knowledge objects?
dedicated
True or False. When adding a Search Peer you must enter ausername and password of an account on the search peer, withedit_rolescapability.
False. The account must have edit_usercapability.
True or False. Knowledge bundles contain the knowledge objectsrequired by the indexers for searching.
True
True or False. A quarantined search peer is prevented fromperforming new searches but continues to attempt to service anycurrently running search.
True
______ maintains the user credentials -user ID and password, plus other information -centrally and handles all authentication.
LDAP
What is the term that’s used for single sign on authentication?
SAML
____ is the identity provider (IDP) for Splunk and maintains the user credentials and handles authentication.
SAML
With ____ authentication, IDP challenges a user for its credentials (i.e. requests a PIN). Meanwhile with ____ authentication, a user inputs their information, the LDAP server checks the user’s authentication, and if their credentials are correct, they are granted access.
SML, LDAP
Supported types of data input in Splunk include which of the following? Select all that apply.
a. files and directories
b. network data
c. apps and add-ons
d. script output
e. Linux and Windows logs
f. HTTP
g. inputs.conf
a. files and directories
b. network data
d. script output
e. Linux and Windows logs
f. HTTP
The following are ways that you can ____ data input in Splunk.
apps and add-ons
Splunk Web
CLI
editing inputs.conf
add
____ settings are assigned when Splunk indexes event data. The places where ____ can come from include a host, source, index, and sourcetype. (Note: Same answer for both blanks)
metadata
Metadata can be created from one of four places. This place is the host where an event originates.
a. sourcetype
b. source
c. index
d. host
d. host
Metadata can be created from one of four places. This place is the source file, stream or input of an event.
a. sourcetype
b. source
c. index
d. host
b. source
Metadata can be created from one of four places. This is the format and category of data input.
a. sourcetype
b. source
c. index
d. host
a. sourcetype
Metadata can be created from one of four places. This is where data is stored by Splunk.
a. sourcetype
b. source
c. index
d. host
c. index
There are 3 ways to add data in the Splunk environment. The first is the upload option, the second is the monitor option, and the third is the forward option.
This option is used for data that’s never updated and gets indexed once. It’s good for testing and does not update inputs.conf
a. monitor
b. upload
c. forward
b. upload
There are 3 ways to add data in the Splunk environment. The first is the upload option, the second is the monitor option, and the third is the forward option.
This option can be used for data that is indexed once or continuously. It’s also useful for both testing and production, and DOES update inputs.conf
a. monitor
b. upload
c. forward
a. monitor
There are 3 ways to add data in the Splunk environment. The first is the upload option, the second is the monitor option, and the third is the forward option.
With this option, data is added from forwarders that are managed by a deployment server. This is the main source of input in production, and DOES update inputs.conf.
a. monitor
b. upload
c. forward
c. forward
____ ____ are Splunk’s way of categorizing data types.
source types
True or False. You cannot change the sourcetype when you go through the Settings > Add Data wizard.
False. You can change the source type from the dropdown. In fact, you can even create a new source type.
True or False. Splunk will not update an inputs.conf file when you use the Upload option in Settings > Add Data.
True. Upload is a one-time process, so Splunk does not update an inputs.conf.
Splunk ____ files are saved under SPLUNK_HOME/etc, and govern an aspect of functionality.
configuration
Which configuration file tells a Splunk instance to ingest data?
inputs.conf
True or False. btool shows on-disk configuration for requested file.
True
True or False. The best place to add a parsing configuration on an indexer would be the SPLUNK_HOME/etc/system/local directory, as it has the highest precedence.
False. Best practice is to put the configuration in an app’s local directory (SPLUNK_HOME/etc/apps//local).
A universal forwarder can route data based on sources. To do this, what would you have to specify for each source inputs.conf?
In addition to that, multiple tcpout stanzas would have to be defined in which configuration file?
_TCP_ROUTING
outputs.conf
This type of forwarder can parse data before forwarding it. It can also route data based on event criteria to different indexers or third party receivers. However it cannot perform distributed searches.
heavy forwarder
A ___ forwarder requires a minimal footprint on production servers, has faster processing, and supports simple routing or cloning data to separate indexers./
universal
A ___ forwarder is able to do all tasks that another type of forwarder can do, but it also supports complex, event-level routing. It can also mask data before forwarding it to an indexer, but it may increase network traffic.
heavy
____ forwarders (which can either be a combination of either heavy forwarders or universal forwarders), route data from input components to indexers or other ____ forwarders. Using ____ forwarders can reduce/limit bandwidth and limit security concerns. (Note: Same answer for all blanks).
intermediate
You can configure the receiver on a ___ forwarder one of two ways: run splunk enable list , or modify inputs.conf with [splunktcip://].
You can configure forwarding on a ____ forwarder by either: running splunk add forward-server:, or modifying ouputs.conf. (Note: Same answer for both blanks).
intermediate
There are additional forwarding options for intermediate forwarders. One is ________. This practice reduces network utilization, and slightly increases CPU utilization.
a. Indexer acknowledgement to forwarder
b. Securing the feed
c. Compressing the feed
d. Send the feed over HTTP
e. Forwarder queue size
f. Automatic load balancing to multiple indexers
c. Compressing the feed
There are additional forwarding options for intermediate forwarders. One is ________. This encrypts the feed of data, and automatically compresses it.
a. Indexer acknowledgement to forwarder
b. Securing the feed
c. Compressing the feed
d. Send the feed over HTTP
e. Forwarder queue size
f. Automatic load balancing to multiple indexers
b. Securing the feed
There are additional forwarding options for intermediate forwarders. One is ________. This is configured in outputs.conf and splits data between multiple indexers.
a. Indexer acknowledgement to forwarder
b. Securing the feed
c. Compressing the feed
d. Send the feed over HTTP
e. Forwarder queue size
f. Automatic load balancing to multiple indexers
f. Automatic load balancing to multiple indexers
When data is sent to an indexer from a universal forwarder, ____ _____ have to be defined. An ___ ___ detects when one event ends and another event starts. It’s typically determined during parsing on an indexer or heavy forwarder. (Note: Same answer for both blanks)
event boundaries, event boundary
Enabling an event ___ on a universal forwarder per sourcetype can prevent event splits in data.
breaker
Which configuration file would event breaker settings be enabled on a universal forwarder?
a. props.conf
b. inputs.conf
c. outputs.conf
a. props.conf
There are additional forwarding options for intermediate forwarders. One is ________. This is configured in outputs.conf and guards against loss of forwarded data.
a. Indexer acknowledgement to forwarder
b. Securing the feed
c. Compressing the feed
d. Send the feed over HTTP
e. Forwarder queue size
f. Automatic load balancing to multiple indexers
a. Indexer acknowledgement to forwarder
There are additional forwarding options for intermediate forwarders. One is ________. When a forwarder can’t reach an indexer, it automatically attempts to reach another one. If it can’t reach any indexers it is queued on the forwarder.
a. Indexer acknowledgement to forwarder
b. Securing the feed
c. Compressing the feed
d. Send the feed over HTTP
e. Forwarder queue size
f. Automatic load balancing to multiple indexers
e. Forwarder queue size
If the forwarder is set to send its data to 2 indexers at 30 second intervals, does it switch exactly at the 30th second?
Not always. To prevent sending a partial event to an indexer, the forwarder waits for an EOF or a pause in I/O activity before it switches.
True or False. Turning SSL on between the forwarder and the receiver automatically compresses the feed.
True
What configuration file on the forwarder defines where data is to be forwarded to?
outputs.conf
Which installer will the System Admin use to install the heavy forwarder?
Splunk Enterprise
True or False. The UF and the HF can be used to mask data before transmitting to indexers.
False. Only the HF, specifically a Splunk Enterprise instance, can perform data masking.
There are 3 deployment server components. This component contains configuration files (such as inputs.conf) packaged as apps to be deployed to the deployment clients.
a. deployment apps
b. deployment clients
c. server class
a. deployment apps
There are 3 deployment server components. This component contains groupings of deployment clients, it defines what apps should be deployed to which clients, and is saved in serverclass.conf
a. deployment apps
b. deployment clients
c. server class
c. server class
There are 3 deployment server components. This component is a Splunk instance (Enterprise or UF) that is connected to the deployment server and phones home.
a. deployment apps
b. deployment clients
c. server class
b. deployment clients
A ___ ___ maps groups of clients to deployment apps. It can be based on a client name, host name, IP address, DNS name, or machine types.
server class
What component in a Splunk environment are typically used as deployment clients?
a. indexers
b. search heads
c. forwarders
c. forwarders
What is the default home phone setting (in terms of time) on a deployment client?
60 seconds
Deployment client settings can be managed centrally by moving the ______.conf settings from etc/system/local/
to etc/apps/DC_app/local/.
deployment client
Apps in the …/etc/apps folder are for the ____ ___ and
apps in the …/etc/deployment-apps are apps for deployment to a ______.
deployment server
client
When an app is deployed from the Deployment Server to the client, by default you will find the app in the _____ folder on the client.
SPLUNK_HOME/etc/apps
True or False. Clients poll the DS on port 9997.
False. Clients poll the DS on port 8089.
You can use the ____.conf file to monitor files and directories with the Splunk platform. Monitoring ____ define a single file as the source with input settings (i.e. sourcetype, index, host, etc). Monitoring ____ involves repeatedly traveling through directories and monitoring all discovered files. (Note: Choose from directory or file for blank #2 and #3)
inputs.conf
files
directories
True or False. When monitoring input options in inputs.conf, the source is defined by placing it after “monitor://” in the stanza header.
True
There are additional options that you can use in the inputs.conf file to monitor files and directories. One is _____. This is when Splunk ignores a file’s existing content, and indexes new data as it arrives.
a. followTail
b. Whitelist and Blacklist
c. ignoreOlderThan
followTail
There are additional options that you can use in the inputs.conf file to monitor files and directories. One is _____. With this option, only events after the time window are indexed (i.e. only events since 60 days ago with ignoreOlderThan = 60d).
a. followTail
b. Whitelist and Blacklist
c. ignoreOlderThan
c. ignoreOlderThan
There are additional options that you can use in the inputs.conf file to monitor files and directories. One is _____. Regular expressions are used to filter files or directories from the input. If there is a conflict, the blacklist prevails.
a. followTail
b. Whitelist and Blacklist
c. ignoreOlderThan
b. Whitelist and Blacklist
Does the inputs.conf file on the deployment server or forwarders change existing ingested data or re-index it? Why?
No. It only applies changes to new data.
True or False. You can use the wildcards, … and * in the whitelist and blacklist.
False. The wildcards, … and * are meant for the stanzas.
True or False. The host_regex setting in inputs.conf can extract the host from the filename only.
False. It can extract the host from the path of the file.
After a file monitor is set up and is running, if you change the host value, will the new host value be reflected for already ingested data?
No. All changes apply to the new data only. To reflect changes for your old data, you need to delete and re-ingest the old data.
In our environment, we have a UF, an Indexer and a SH. Which instance contains the fishbucket?
Each instance will have its own local fishbucket.
_____ inputs input data that is sent to a Splunk instance on a TCP/UDP port (i.e. Syslog). These inputs create a layer of resiliency (buffering, load balancing, cloning, indexer restarts), and can minimize indexer workload by managing network connections on the forwarder.
a. file inputs
b. network inputs
c. directory inputs
b. network inputs
When creating a host for network inputs, you have to set inputs.conf with the connection_host. One type of host that can be used is ____ (the default of UDP inputs). This type of host is set to the originating host’s IP address.
a. none
b. ip
c. dns
b. ip
When creating a host for network inputs, you have to set inputs.conf with the connection_host. One type of host that can be used is ____ (Custom in the UI). This type of host requires explicit setting the host value.
a. none
b. ip
c. dns
a. none
When creating a host for network inputs, you have to set inputs.conf with the connection_host. One type of host that can be used is ____ (default for TCP inputs). This type of host is set to a DNS name using reverse IP lookup.
a. none
b. ip
c. dns
c. dns
Network input ______ provide input flow control, and only apply to TCP (transmission Control Protocol), UDP (user datagram protocol), and scripted input. These also control network data bursts, slow resources, or slow forwarding.
queues
If indexers can’t be reached in the network input queue (for TCP, UDP, and scripted input), data is stored in the ____ queue. If the ____ is full, data is stored in the ____ queue. If the ____ queue is full, data is stored in the ____ queue. (Note: Answers for blanks 1 and 2 the same, answers for blanks 3 and 4 the same, answer for blank five is different than those before it)
a. output queue
b. persistent queue
c. memory queue
Blank 1, 2:
a. output queue
Blank 3, 4:
c. memory queue
Blank 5:
b. persistent queue
Which type of the network input queue is described below? Persistent or memory?
- default queueSize is 500 KB
- buffers data before forwarding
- useful if indexer receives data slower than forwarder is acquiring it
- independent of forwarder’s maxQueueSize attribute
memory queue
Which type of the network input queue is described below? Persistent or memory?
- persistentQueueSize is set and doesn’t exist by default
- provides additional, file-system buffering of data
- written to var/run/splunk/…
- really useful for high-volume data and when there is a network outage to indexers
persisten queue
Splunk ____ for ____ (SC4S) lowers the burden of getting syslog into Splunk. In other words, Splunk overhead is lowered for improved scaling and distribution.
Connect, Syslog
it a Best Practice to send data to a syslog collector that
writes into a directory structure and then have a UF/HF ingest the data from the directory structure because if the UF has to be restarted, the ______ will prevent data loss.
fishbucket
It’s possible to use the host value and not the DNS name or IP address for TCP input. You can do so by setting the connection_host to _________ and specifying the host value.
none
____ inputs schedule script execution and index the output. They are used by several Splunk apps to gather information from an OS or other server applications.
a. monitored inputs
b. network inputs
c. scripted inputs
c. scripted inputs
____ inputs support Shell (.sh), Batch (.bat), PowerShell (.ps1), and Python (.py) scripts.
a. monitored inputs
b. network inputs
c. scripted inputs
c. scripted inputs
Before defining ____ input, it has to be developed and tested. During the testing process, you test your script by copying it to Splunk’s bin directory. Then you deploy the script input using a deployment server.
a. monitored inputs
b. network inputs
c. scripted inputs
c. scripted inputs
The queueSize and the persistentQueueSize attributes buffer data on the _____ (Splunk component) when the network or indexer is unavailable.
forwarder
True or False. Persistent Queue and Memory Queue can be applied to Network as well as Scripted inputs.
True
True or False. An interval setting for scripted inputs can be specified in cron syntax.
True. The interval can be specified in either number of seconds or cron syntax.
A ____ _____ ____ (HEC) is a token based HTTP input that sends events to Splunk without forwarders (such as log from a data web browser, automation scripts, or mobile apps)
HTTP Event Collector
Splunk ____ for ____ is an alternative way to collect difficult inputs (i.e. database servers without forwarders, network traffic that’s not visible to logs)
App, Stream (Splunk App for Stream)
True or False. Event Collector can be set up on a UF.
False. Event collector can be set up on an Indexer or HF.
True or False. Data can be sent in json or any raw data format to the event collector.
True
_____ Inputs on Linux supports the journalctl command for viewing logs that are collected by systems. It collects thousands of events per second with minimal impact.
a. monitored inputs
b. network inputs
c. scripted inputs
d. operating system inputs
e. JournalD inputs
e. JournalD inputs
What type of input is the JournalID Inputs on Linux?
a. monitored input
b. network input
c. scripted input
d. operating system input
d. operating system input
True or False. JournalD input only requires Splunk Enterprise 8.1 and inputs.conf settings.
True
True or False. Windows input from a Windows UF must be forwarded to an Indexer running Windows.
False. Any platform indexer can be used.
True or False. You can collect Active Directory data from a Server remotely using wmi.conf.
False. Only event logs and performance monitoring logs can be collected using wmi.conf.
This part of the index-time process is handled at the source (typically a forwarder). Data sources are opened and read, and data is handled in streams.
a. parsing phase
b. input phase
c. indexing phase
b. input phase
This part of the index-time process is handled either by an indexer or a heavy forwarder. Data is broken up into events and advanced processing is performed.
a. parsing phase
b. input phase
c. indexing phase
a. parsing phase
This part of the index-time process is handled by indexers. Data is written to disk prior to compression. After data is written, it cannot be changed.
a. parsing phase
b. input phase
c. indexing phase
c. indexing phase
Event ____ distinguish where events begin and end. This takes place during the parsing phase.
boundaries
Line ___ splits the incoming stream of data into separate lines. Line _____ on the other hand, Merges separate lines to make individual events.
a. line merging
b. line breaking
a. line breaking
b. line merging
Custom timestamp extraction is specified in which configuration file?
a. inputs.conf
b. outputs.conf
c. props.conf
c. props.conf
The following syntax improves efficiency of timestamp event extraction. It specifies how many _____ to look for a timestamp.
MAX_TIMESTAMP_LOOKAHEAD =
characters
Before indexing data, sometimes it will need to be modified. An example of this is when there are cases of privacy concerns (financial information, healthcare, etc).
Splunk provides two methods of raw data transformations – SEDCMD and TRANSFORMS. _____ uses props.conf, and masks/truncates raw data. On the other hand, _________ uses props.conf and transforms.conf, and transforms events that match based on source, source type, or host.
SEDCMD
TRANSFORMS
There are two methods of raw data transformations –SEDCMD and TRANSFORMS. Which method provides “search and replace” using regular expressions and substitutions? An example of this is hiding the first few numbers of an account.
SEDCMD
There are two methods of raw data transformations –SEDCMD and TRANSFORMS. Which method is based on REGEX pattern matches?
TRANSFORMS
There are four types of lookups. This type uses a CSV file stored in the lookups directory.
a. external
b. file-based
c. KV Store
d. geospatial
b. file-based
There are four types of lookups. This type requires collections.conf that defines fields.
a. external
b. file-based
c. KV Store
d. geospatial
c. KV Store
There are four types of lookups. This type uses a python script or an executable in the bin directory.
a. external
b. file-based
c. KV Store
d. geospatial
a. external
There are four types of lookups. This type uses a kmz saved in the lookups directory to support the choropleth visualization.
a. external
b. file-based
c. KV Store
d. geospatial
d. geospatial
____ ___ are stored in configuration files like macros.conf, tags.conf, eventtypes.conf, and savedsearches.conf.
Knowledge Objects
____ knowledge objects are knowledge objects that do not have an owner. This occurs when a Splunk account is deactivated and the KOs associated with that account remain in the system.
However they can cause performance problems and security concerns.
orphaned