Splunk System Admin

Question 1

Do Splunk “Data” Admins or Splunk “System” Admins install, manage, and configure Splunk components?

Answer 1

System Admins

Question 2

Do Splunk “Data” Admins or Splunk “System” Admins works with users requesting new data sources?

Answer 2

Data Admins

Question 3

Input, parse, index, search are the four ____ of Splunk

Answer 3

stages

Question 4

All functions are in a single Splunk instance in this type of deployment:

a. distributed
b. basic
c. standalone

Answer 4

c. standalone

Question 5

This type of Splunk deployment is usually used for testing, proof of concept, personal use, and learning:

a. distributed
b. basic
c. standalone

Answer 5

c. standalone

Question 6

This type of Splunk deployment is similar to the standalone configuration, but manages the deployment of forwarder configurations.

a. distributed
b. basic
c. standalone

Answer 6

b. basic

Question 7

With this type of Splunk deployment, indexers are added to handle more inputs and searching. Search heads are also added to handle more searching.

a. distributed
b. basic
c. standalone

Answer 7

a. distributed

Question 8

With this type of Splunk deployment, forwarder configurations with are managed with a dedicated deployment server.

a. distributed
b. basic
c. standalone

Answer 8

a. distributed

Question 9

This Splunk component allows users to submit search requests using SPL, distributes search requests to indexers, consolidates results and renders visualizations of results, and stores search-time knowledge objects (such as field extractions, alerts, and dashboards).

a. forwarders
b. indexers
c. search heads
d. deployment server

Answer 9

c. search heads

Question 10

This Splunk component receives incoming data from forwarders, indexes and stores data in Splunk indexes, and searches data in response to requests from search heads.

a. forwarders
b. indexers
c. search heads
d. deployment server

Answer 10

b. indexers

Question 11

Which Splunk component is responsible for parsing data into events?

a. forwarders
b. indexers
c. search heads
d. deployment server

Answer 11

b. indexers

Question 12

This Splunk component is responsible for monitoring configured inputs and forwarding the data to the indexers, requires minimal resources, and is typically installed on the machines that produce data.

a. forwarders
b. indexers
c. search heads
d. deployment server

Answer 12

a. forwarders

Question 13

Are forwarders responsible for searching, indexing/parsing, input, or management?

Answer 13

input

Question 14

Which Splunk component is responsible for managing the deployment clients in a Splunk Enterprise?

a. forwarders
b. indexers
c. search heads
d. deployment server

Answer 14

d. deployment server

Question 15

This Splunk component acts as a centralized configuration manager for any number of deployment clients and requires running on a Splunk Enterprise license.

a. forwarders
b. indexers
c. search heads
d. deployment server

Answer 15

d. deployment server

Question 16

What are the default network ports for both the Splunk Enterprise and universal forwarders?

a. 8191
b. 8000
c. 8089
d. 8065

Answer 16

c. 8089

Question 17

What is the default Splunk Enterprise network port for Splunk Web?

a. 8191
b. 8000
c. 8089
d. 8065

Answer 17

b. 8000

Question 18

What is the default Splunk Enterprise network port for the Web app-server proxy?

a. 8191
b. 8000
c. 8089
d. 8065

Answer 18

d. 8065

Question 19

What is the default Splunk Enterprise network port for KV Store?

a. 8191
b. 8000
c. 8089
d. 8065

Answer 19

a. 8191

Question 20

True or False. Splunk Web, Web app-server proxy, and KV Store do not have default network ports for universal forwarders.

Answer 20

True

Question 21

True or False. S2S receiving port(s), network/http input(s), index replication port(s), and search replication port(s) have default network ports.

Answer 21

False

Question 22

NTP or ____ ___ ___ ensures that there is a standardized time configuration on Splunk servers. This is important because clock skew between hosts can affect the timestamp of events, and search results.

Answer 22

Network Time Protocol

Question 23

The ____ process spawns and controls Splunk child processes such as web proxy, KV store, and introspection services. It also accesses, processes, and indexes incoming data, and handles all search requests and returns results.

Answer 23

splunkd

Question 24

Splunk web ____ settings are used to set server configuration and server options.

Answer 24

server

Question 25

/opt/splunk/var/lib/splunk is the path to the existing _____ in a Splunk environment.

Answer 25

indexes

Question 26

What is the minimum amount of free disk space required for an index? (Note: If the disk space is less than the minimum amount, Splunk pauses indexing)

Answer 26

5000

Question 27

Do you use the Splunk Enterprise installer, or the Universal Forwarder installer to install indexers, search heads, the license master, the deployment server, the heavy forwarder, and the cluster manager?

Answer 27

Splunk Enterprise installer

Question 28

Do you use the Splunk Enterprise installer, or the Universal Forwarder installer to install your deployment client?

Answer 28

Universal forwarder installer

Question 29

The ___ ____ (MC) in Splunk is an admin-only app used to monitor and investigate data Splunk collects about itself, such as performance and resource usage.

Answer 29

Monitoring Console

Question 30

Is the Monitoring Console configured or un-configured by default in standalone mode? Can you enable it?

Answer 30

un-configured

yes

Question 31

Monitoring Console Alerts Setup provides preconfigured platform alerts. Are they enabled or disabled by default?

Answer 31

disabled

Question 32

The four types of Splunk _____ are Enterprise trial, Enterprise, Free, and Forwarder.

Answer 32

licenses

Question 33

This type of Splunk license comes with the product, is valid for 60 days, requires activation of another license type after the 60 day period, and has a 500 MB/day limit.

a. free license
b. Enterprise trial license
c. forwarder license
d. Enterprise license

Answer 33

b. Enterprise trial license

Question 34

This type of Splunk license is purchased from Splunk, sets the daily indexing volume amount, has full functionality for indexing, search head, deployment server, etc., and allows searching even if you are in a license violation period.

a. free license
b. Enterprise trial license
c. forwarder license
d. Enterprise license

Answer 34

d. Enterprise license

Question 35

This type of Splunk license disables alerts, scheduled searches, authentication, clustering, distributed search, summarization, and forwarding to non-Splunk servers. It also allows 500 MB/day of indexing and forwarding to other Splunk instances.

a. free license
b. Enterprise trial license
c. forwarder license
d. Enterprise license

Answer 35

a. free license

Question 36

This Splunk license applies to non-indexing forwarders sets a server up as a heavy forwarder, and allows authentication, but no indexing.

a. free license
b. Enterprise trial license
c. forwarder license
d. Enterprise license

Answer 36

c. forwarder license

Question 37

____ occur when indexing exceeds the allocated daily quota in a pool, they’re viewed in Splunk Web > Messages (as a “pool warning”), and may eventually result in a Warning.

a. alert
b. violation
c. warning

Answer 37

a. alert

Question 38

_____ occurs if an alert is triggered, and license capacity is not increased by midnight (by adding new license or moving capacity from another pool).

a. alert
b. violation
c. warning

Answer 38

c. warning

Question 39

_____ occurs after 5 warnings on an Enterprise license in a rolling 30-day period and requires a reset key from Splunk Support or Sales Team.

a. alert
b. violation
c. warning

Answer 39

b. violation

Question 40

True or False. These instances DO count against the daily license quota of Splunk:

–replicated data (Index Clusters)
– summary indexes

– Splunk internal logs (_internal, _audit, etc. indexes)

–Structural components of an index (metadata, tsidx, etc.)

Answer 40

False. They DO NOT count against the daily license quota of Splunk.

Question 41

True or False. These instances DO NOT count against the daily license quota of Splunk:

– data from all sources that that are indexed

– events: measured as the data (full size) that flows through the parsing pipeline per day

– metrics: measurement capped at 150 bytes per metric event

Answer 41

False. They DO count against the daily license quota of Splunk.

Question 42

____ _____ allows licenses to be subdivided and assigned to indexer groups. For example, a total stack of 500GB, would be distributed differently in a single pool of indexers vs. a multiple pool environment.

Answer 42

license pooling

Question 43

There are two types of pricing when it comes to Splunk licensing: Ingest-Based and Infrastructure-Based. ____ ____ is based on data volume and is the traditional licensing method.

Answer 43

Ingest-Based

Question 44

There are two types of pricing when it comes to Splunk licensing: Ingest-Based and Infrastructure-Based. ____ ____ is based on compute capacity and provides more control over searching and indexing.

Answer 44

Infrastructure-Based

Question 45

Splunk ____ gathers data and provides insight into instances. You can get information on server specs (i.e. OS version, current open connections) and the Spluk platform (i.e. contents of SPLUNK_HOME/etc such as app configurations and Splunk log files).

Answer 45

diag

Question 46

True or False. Splunk provides separate licenses for metrics andevents data.

Answer 46

False. Metrics data draws from the same license quota as event data.

Question 47

True or False. Search Heads also need an Enterprise License (directly orthrough a License Master) even without configuring any inputs.

Answer 47

True

Question 48

True or False. If the indexing exceeds the daily license quota in a pool,your license will go into a violation.

Answer 48

False. Indexing that exceeds the allocated daily quota in a pool is analert. An alert not fixed by midnight turns into a warning.

Question 49

Splunk ____ are a collection of configuration files, scripts, web assets, etc. They may be focused on specific types of data, vendor, OS, industry, or business needs.

Answer 49

apps

Question 50

Splunk ____ are installed under SPLUNK_HOME/etc/apps.

Answer 50

apps

Question 51

This type of Splunk app permission allows a user to see an app and use it, add knowledge objects (KOs), and modify KOs they own.

a. write permissions
b. read permissions

Answer 51

b. read permissions

Question 52

This type of Splunk app permission allows a user to share KOs they own and delete KOs used in the app.

a. read permissions
b. write permissions

Answer 52

b. write permissions

Question 53

A Splunk ___- ____ is a reusable component that supports other apps. It is also often used for data collection, and DOES NOT contain Splunk Web UI components (reports or dashboards).

Answer 53

add-on

Question 54

____ add-ons (TAs) are specialized add-ons that help collect, transform, and normalize data feeds from specific sources.

Answer 54

Technology

Question 55

True or False. Write permissions to an app means that the user’srole is able to modify the app.

Answer 55

False. User roles with write permission can add/delete/modify knowledge objects used in the app.

Question 56

True or False. Universal forwarders don’t have a web interface, butthey can still benefit from an app.

Answer 56

True

Question 57

____ files govern an aspect of Splunk functionality. They are saved under SPLUNK_HOME/etc.

Answer 57

configuration

Question 58

Do configuration text files generally use a case-sensitive [stanza] and have a format of attribute = value?

Answer 58

Yes

Question 59

There are three ways that you can edit Splunk ____. In Splunk Web, using Splunk CLI, or editing .conf files.

Answer 59

configurations

Question 60

What components of the Splunk environment generally use the outputs.conf configuration file? Choose all that apply.

a. indexer
b. forwarder
c. search head

Answer 60

b. forwarder

c. search head

Question 61

Which configuration file is responsible for where to forward data?

a. outputs.conf
b. inputs.conf
c. props.conf

Answer 61

a. outputs.conf

Question 62

This Splunk component uses props.conf for search-time field extractions, lookups, etc. However, ____ use props.conf for parsing, and ____ use props.conf for limited parsing. (Note: All answers below are used. Place them in the correct blanks above)

a. indexer
b. forwarder
c. search head

Answer 62

c. search head
a. indexer
b. forwarder

Question 63

Which configuration file is responsible for what data is collected?

a. outputs.conf
b. inputs.conf
c. props.conf

Answer 63

b. inputs.conf

Question 64

Inputs.conf configuration files in ___ ___ collect internal Splunk log data. ____ inputs.conf configuration files collect data AND determine which ports to listen to. Inputs.conf configuration files on ____ collect production data. (Note: All answers below are used. Place them in the correct blanks above)

a. indexer
b. forwarder
c. search head

Answer 64

c. search head
a. indexer
b. forwarder

Question 65

_____ configuration files come with Splunk out of the box. ____ configuration files do not.

a. local
b. default

Answer 65

b. default

a. local

Question 66

____ configuration files are overwritten when updates apply. They SHOULD NOT be modified. On the other hand, ____ configuration files keep changes. Changes are preserved when updates occur. Also, this is the only file of the two that you should modify, and the settings override default settings.

a. local
b. default

Answer 66

b. default

a. local

Question 67

Configuration files fall into either of two file contexts –App/User Context or Global Context. Global Context configuration files are used during ____ time, while App/User Context configuration files are used during ____ time.

a. index time
b. search time

Answer 67

a. index time

b. search time

Question 68

Which three configuration files are examples of Global Context files?

a. macros.conf
b. savedsearches.conf
c. outputs.conf
d. props.conf
e. inputs.conf

Answer 68

c. outputs.conf
d. props.conf
e. inputs.conf

Question 69

Which three configuration files are examples of App/User Context files?

a. macros.conf
b. savedsearches.conf
c. outputs.conf
d. props.conf
e. inputs.conf

Answer 69

a. macros.conf
b. savedsearches.conf
d. props.conf

Question 70

Which use case below is an example of a Global Context configuration use case? Which case is an example of a App/User Context configuration use case?

a. a private report in the Search app
b. a network input to collect syslog data

Answer 70

b. a network input to collect syslog data

a. a private report in the Search app

Question 71

_____ ____ configuration are background tasks, include input, parsing, and indexing, and are user independent tasks. ____ ____ configuration files are connected to user-related activity, and include searching and search time processing. (Answer: Choose from either Global Context or App/User Context)

Answer 71

Global Context, App/User Context

Question 72

The Splunk ____ shows on-disk configuration for a requested file. It’s useful for checking configuration scope and permission rules.

Answer 72

tool

Question 73

Which configuration file tells a Splunk instance to ingest data?

Answer 73

inputs.conf

Question 74

True or False. btoolshows on-disk configuration for requested file.

Answer 74

True

Question 75

True or False. The best place to add a parsing configuration on an indexer would be the SPLUNK_HOME/etc/system/local directory, as it has the highest precedence.

Answer 75

False. The best place to put the configuration is in an app’s local directory (SPLUNK_HOME/etc/apps//local).

Question 76

_____ store input data as events. main, and __internal are examples of these that are included by default with the Splunk application.

Answer 76

indexes

Question 77

____ can be used to limit the scope of a search, and allow the ability to limit access by user.

Answer 77

indexes

Question 78

____ are found in the following location: SPLUNK_DB (SPLUNK_HOME/var/lib/splunk)

Answer 78

indexes

Question 79

This type of index contains network data.

a. security
b. proxy
c. web

Answer 79

b. proxy

Question 80

_internal, _audit, _introspection, _thefishbucket, summary, and main are all examples of _____ indexes.

Answer 80

preconfigured

Question 81

This preconfigured index consists of Splunk’s own logs and metrics.

a. summary
b. _introspection
c. _internal
d. main
e. _thefishbucket
f. _audit

Answer 81

c. _internal

Question 82

This preconfigured index stores Splunk audit trails and other optional auditing information.

a. summary
b. _introspection
c. _internal
d. main
e. _thefishbucket
f. _audit

Answer 82

f. _audit

Question 83

This preconfigured index tracks system performance, Splunk resource usage data, and provides the Monitoring Console (MC) with performance data.

a. summary
b. _introspection
c. _internal
d. main
e. _thefishbucket
f. _audit

Answer 83

b. _introspection

Question 84

This preconfigured index contain checkpoint information for file monitoring inputs.

a. summary
b. _introspection
c. _internal
d. main
e. _thefishbucket
f. _audit

Answer 84

e. _thefishbucket

Question 85

This preconfigured index is the default index for summary indexing system.

a. summary
b. _introspection
c. _internal
d. main
e. _thefishbucket
f. _audit

Answer 85

a. summary

Question 86

This preconfigured index is the default index for inputs and is in the defaultdb directory.

a. summary
b. _introspection
c. _internal
d. main
e. _thefishbucket
f. _audit

Answer 86

d. main

Question 87

____ are part of an index that stores events, and are directories containing a set of raw data.

Answer 87

buckets

Question 88

What is the default index size?

Answer 88

500GB

Question 89

____ are a set of measurements containing timestamp, metric name, value, and a dimension.

Answer 89

metrics

Question 90

True or False. Splunk, by default, automatically sets the frozen path when you create an index.

Answer 90

False. Frozen path is not set by default. Data is set to delete bydefault.

Question 91

True or False. When hot buckets roll to warm they go to a differentdirectory.

Answer 91

False, Hot and warm buckets stay in the same directory by default. When hot buckets roll to warm they are renamed.

Question 92

True or False. _introspectionindex tracks system performanceand Splunk resource usage data.

Answer 92

True

Question 93

By default, Splunk ____ are stored in SPLUNK_HOME/var/lib/splunk/

Answer 93

indexes

Question 94

For undesired events that are in an _____, you can either let the events age out normally, use the delete command to make the unwanted events not show up in searches, or run the splunkcleancommand to delete ALL events from an ____. (Note: Same answer for both blanks)

Answer 94

index

Question 95

When there are undesired events in an index, you have one of three options. The first option is to let an event age out normally. The second option prevents “deleted” events from showing in future searches by using the ____ command. The third option permanently destroys events and is done so by using the ____ command.

Answer 95

delete, clean

Question 96

A ____ allows Splunk to track monitored input files, and contains file metadata which identifies a pointer to the file, and a pointer to where Splunk last read the file.

Answer 96

fishbucket

Question 97

A fish bucket contains a ____ (which is a pointer to a file), and a ____ (which is a pointer showing where Splunk last left off indexing in a file).

Answer 97

head, tail

Question 98

To restore a frozen bucket, it will need to be ____ by copying the bucket directory from the frozen path to the “thaweddb” directory.

Answer 98

thawed

Question 99

True or False. Thawing a frozen bucket counts against your Splunk license.

Answer 99

False. It does not count against your Splunk license.

Question 100

True or False. Frozen buckets roll to Thawed automatically.

Answer 100

False. To thaw a frozen bucket you will have to start by copying thebucket directory from the frozen directory to the index’s thaweddbdirectory and follow additional steps.

Question 101

True or False. When creating an Index from the web, it creates astanza in inputs.conf.

Answer 101

False. It creates a stanza in indexes.conf

Question 102

True or False. When running the splunkcleancommand, youcan set a date range for the events you want to delete.

Answer 102

False. There is no option to do that.

Question 103

Which Splunk user role deals with Splunk administration and searching of all indexes?

a. Web users
b. Security users
c. Splunk admins

Answer 103

c. Splunk admins

Question 104

Which Splunk user role deals with deals with proxy and security indexes as well as searching the Web?

a. Web users
b. Security users
c. Splunk admins

Answer 104

b. Security users

Question 105

Which Splunk user role deals with searching the Web index?

a. Web users
b. Security users
c. Splunk admins

Answer 105

a. Web users

Question 106

There are multiple roles listed in the Splunk interface. This role has most capabilities and can create custom roles.

a. user
b. splunk-system-role
c. admin
d. can_delete
e. power

Answer 106

c. admin

Question 107

There are multiple roles listed in the Splunk interface. In this role you can edit shared objects, saved searches, and alerts, tag events, and so on.

a. user
b. splunk-system-role
c. admin
d. can_delete
e. power

Answer 107

e. power

Question 108

There are multiple roles listed in the Splunk interface. In this role you can create, edit, and run your own saved searches, edit your own preferences, create and edit event types, and do similar tasks.

a. user
b. splunk-system-role
c. admin
d. can_delete
e. power

Answer 108

a. user

Question 109

There are multiple roles listed in the Splunk interface. In this role you can delete by keyword (necessary when using the delete search operator).

a. user
b. splunk-system-role
c. admin
d. can_delete
e. power

Answer 109

d. can_delete

Question 110

There are multiple roles listed in the Splunk interface. This role allows Splunk system services to run without a defined user context.

a. user
b. splunk-system-role
c. admin
d. can_delete
e. power

Answer 110

b. splunk-system-role

Question 111

This .conf file contains the configuration of Splunk roles. It should not be modified from the SPLUNK_HOME/etc/system/default/ (or _____ directory). Instead, it should be modified from the _____ directories.

Answer 111

authorize.conf
default
local

Question 112

You can either use the “_____” tab to create a copy of an existing role in Splunk, or use the “____” selection in Splunk Web

Answer 112

inheritance

clone

Question 113

The failed login attempt threshold is configured in the ____ Management section of Splunk Web. You can use the “____” menu under Settings > Users, then Edit to unlock users.

Answer 113

password

unlock

Question 114

True or False. Inheritance does allow inherited capabilities to be turned off.

Answer 114

False. Inheritance does NOT allow inherited capabilities to be turned off.

Question 115

If you wanted to turn off certain capabilities when copying user role, would you use inheritance or clone?

Answer 115

Clone. Inheritance does NOT allow inherited capabilities to be turned off.

Question 116

True or False. If you are installing a Search Head and an Indexer, Splunk requires an admin account on each instance.

Answer 116

True

Question 117

True or False. You can unlock a user from the CLI.

Answer 117

True

Question 118

____ gather data and send it to indexers over the network.

Answer 118

Forwarders

Question 119

____ run on dedicated servers, listen on receiving ports, and store and index data.

Answer 119

Indexers

Question 120

What is the receiving port number that indexers listen on when receiving data?

Answer 120

9997

Question 121

Which type of forwarder does NOT have GUI, gathers data from a host, does NOT parse data, and is designed to run on production servers? A heavy forwarder or a universal forwarder?

Answer 121

universal forwarder

Question 122

What two configuration files need to be set up on a universal forwarder? What configuration file needs to be set up on an indexer?

Answer 122

universal forwarder: inputs.conf, outputs.conf

indexer: inputs.conf

Question 123

This component of a Splunk environment is the built-in tool for centrally managing configuration packages as apps for clients. It also includes Forwarder Management as the graphical user interface.

Answer 123

deployment server

Question 124

True or False. You have to configure a separate receiving port onthe indexer for each universal forwarder.

Answer 124

False. You do not have to create a separate port for each UF.

Question 125

True or False. When a UF is installed on Windows, the instanceprovides a GUI.

Answer 125

False. Universal Forwarders do not have a GUI on Windows OS orany other OS.

Question 126

Running splunk add forward-server creates stanzas in which .conf file?

Answer 126

outputs.conf

Question 127

____ ____ are distributed to indexers (search peers) by the search head when a distributed search is initiated. They also contain the knowledge objects required by indexers for searching.

Answer 127

knowledge bundles

Question 128

The “Search Activity: Instance” menu in the ____ ____ shows the status of peers (indexers) in an environment.

Answer 128

Monitoring Console

Question 129

Median resource usage (Memory, CPU), top 10 memory-consuming searches, aggregate search runtime or all things that show the status of ____ in the Monitoring Console.

Answer 129

peers (or indexers)

Question 130

Search peer ______ is used when an indexer experiences performance issues. It prevents an indexer from participating in future searches, only affects the relationship between indexer and search head, and allows live troubleshooting by not stopping the indexer.

Answer 130

quarantine

Question 131

Each search head in a Splunk environment handles approximately ___ - ____ simultaneous searches that can either be ad hoc or scheduled searches.

a. 5 -10
b. 3-5
c. 8-12
d. 10-15

Answer 131

c. 8-12

Question 132

Search heads can either be ____ (meaning they don’t share knowledge objects), or ____ (meaning they share a common set of knowledge objects.

a. dedicated
b. clustered

Answer 132

a. dedicated

b. clustered

Question 133

Which type of search head (dedicated or clustered) is only used by a team of users with unique knowledge objects?

Answer 133

dedicated

Question 134

True or False. When adding a Search Peer you must enter ausername and password of an account on the search peer, withedit_rolescapability.

Answer 134

False. The account must have edit_usercapability.

Question 135

True or False. Knowledge bundles contain the knowledge objectsrequired by the indexers for searching.

Answer 135

True

Question 136

True or False. A quarantined search peer is prevented fromperforming new searches but continues to attempt to service anycurrently running search.

Answer 136

True

Question 137

______ maintains the user credentials -user ID and password, plus other information -centrally and handles all authentication.

Answer 137

LDAP

Question 138

What is the term that’s used for single sign on authentication?

Answer 138

SAML

Question 139

____ is the identity provider (IDP) for Splunk and maintains the user credentials and handles authentication.

Answer 139

SAML

Question 140

With ____ authentication, IDP challenges a user for its credentials (i.e. requests a PIN). Meanwhile with ____ authentication, a user inputs their information, the LDAP server checks the user’s authentication, and if their credentials are correct, they are granted access.

Answer 140

SML, LDAP

Question 141

Supported types of data input in Splunk include which of the following? Select all that apply.

a. files and directories
b. network data
c. apps and add-ons
d. script output
e. Linux and Windows logs
f. HTTP
g. inputs.conf

Answer 141

a. files and directories
b. network data
d. script output
e. Linux and Windows logs
f. HTTP

Question 142

The following are ways that you can ____ data input in Splunk.

apps and add-ons
Splunk Web
CLI
editing inputs.conf

Answer 142

add

Question 143

____ settings are assigned when Splunk indexes event data. The places where ____ can come from include a host, source, index, and sourcetype. (Note: Same answer for both blanks)

Answer 143

metadata

Question 144

Metadata can be created from one of four places. This place is the host where an event originates.

a. sourcetype
b. source
c. index
d. host

Answer 144

d. host

Question 145

Metadata can be created from one of four places. This place is the source file, stream or input of an event.

a. sourcetype
b. source
c. index
d. host

Answer 145

b. source

Question 146

Metadata can be created from one of four places. This is the format and category of data input.

a. sourcetype
b. source
c. index
d. host

Answer 146

a. sourcetype

Question 147

Metadata can be created from one of four places. This is where data is stored by Splunk.

a. sourcetype
b. source
c. index
d. host

Answer 147

c. index

Question 148

There are 3 ways to add data in the Splunk environment. The first is the upload option, the second is the monitor option, and the third is the forward option.

This option is used for data that’s never updated and gets indexed once. It’s good for testing and does not update inputs.conf

a. monitor
b. upload
c. forward

Answer 148

b. upload

Question 149

There are 3 ways to add data in the Splunk environment. The first is the upload option, the second is the monitor option, and the third is the forward option.

This option can be used for data that is indexed once or continuously. It’s also useful for both testing and production, and DOES update inputs.conf

a. monitor
b. upload
c. forward

Answer 149

a. monitor

Question 150

There are 3 ways to add data in the Splunk environment. The first is the upload option, the second is the monitor option, and the third is the forward option.

With this option, data is added from forwarders that are managed by a deployment server. This is the main source of input in production, and DOES update inputs.conf.

a. monitor
b. upload
c. forward

Answer 150

c. forward

Question 151

____ ____ are Splunk’s way of categorizing data types.

Answer 151

source types

Question 152

True or False. You cannot change the sourcetype when you go through the Settings > Add Data wizard.

Answer 152

False. You can change the source type from the dropdown. In fact, you can even create a new source type.

Question 153

True or False. Splunk will not update an inputs.conf file when you use the Upload option in Settings > Add Data.

Answer 153

True. Upload is a one-time process, so Splunk does not update an inputs.conf.

Question 154

Splunk ____ files are saved under SPLUNK_HOME/etc, and govern an aspect of functionality.

Answer 154

configuration

Question 155

Which configuration file tells a Splunk instance to ingest data?

Answer 155

inputs.conf

Question 156

True or False. btool shows on-disk configuration for requested file.

Answer 156

True

Question 157

True or False. The best place to add a parsing configuration on an indexer would be the SPLUNK_HOME/etc/system/local directory, as it has the highest precedence.

Answer 157

False. Best practice is to put the configuration in an app’s local directory (SPLUNK_HOME/etc/apps//local).

Question 158

A universal forwarder can route data based on sources. To do this, what would you have to specify for each source inputs.conf?

In addition to that, multiple tcpout stanzas would have to be defined in which configuration file?

Answer 158

_TCP_ROUTING

outputs.conf

Question 159

This type of forwarder can parse data before forwarding it. It can also route data based on event criteria to different indexers or third party receivers. However it cannot perform distributed searches.

Answer 159

heavy forwarder

Question 160

A ___ forwarder requires a minimal footprint on production servers, has faster processing, and supports simple routing or cloning data to separate indexers./

Answer 160

universal

Question 161

A ___ forwarder is able to do all tasks that another type of forwarder can do, but it also supports complex, event-level routing. It can also mask data before forwarding it to an indexer, but it may increase network traffic.

Answer 161

heavy

Question 162

____ forwarders (which can either be a combination of either heavy forwarders or universal forwarders), route data from input components to indexers or other ____ forwarders. Using ____ forwarders can reduce/limit bandwidth and limit security concerns. (Note: Same answer for all blanks).

Answer 162

intermediate

Question 163

You can configure the receiver on a ___ forwarder one of two ways: run splunk enable list , or modify inputs.conf with [splunktcip://].

You can configure forwarding on a ____ forwarder by either: running splunk add forward-server:, or modifying ouputs.conf. (Note: Same answer for both blanks).

Answer 163

intermediate

Question 164

There are additional forwarding options for intermediate forwarders. One is ________. This practice reduces network utilization, and slightly increases CPU utilization.

a. Indexer acknowledgement to forwarder
b. Securing the feed
c. Compressing the feed
d. Send the feed over HTTP
e. Forwarder queue size
f. Automatic load balancing to multiple indexers

Answer 164

c. Compressing the feed

Question 165

There are additional forwarding options for intermediate forwarders. One is ________. This encrypts the feed of data, and automatically compresses it.

a. Indexer acknowledgement to forwarder
b. Securing the feed
c. Compressing the feed
d. Send the feed over HTTP
e. Forwarder queue size
f. Automatic load balancing to multiple indexers

Answer 165

b. Securing the feed

Question 166

There are additional forwarding options for intermediate forwarders. One is ________. This is configured in outputs.conf and splits data between multiple indexers.

a. Indexer acknowledgement to forwarder
b. Securing the feed
c. Compressing the feed
d. Send the feed over HTTP
e. Forwarder queue size
f. Automatic load balancing to multiple indexers

Answer 166

f. Automatic load balancing to multiple indexers

Question 167

When data is sent to an indexer from a universal forwarder, ____ _____ have to be defined. An ___ ___ detects when one event ends and another event starts. It’s typically determined during parsing on an indexer or heavy forwarder. (Note: Same answer for both blanks)

Answer 167

event boundaries, event boundary

Question 168

Enabling an event ___ on a universal forwarder per sourcetype can prevent event splits in data.

Answer 168

breaker

Question 169

Which configuration file would event breaker settings be enabled on a universal forwarder?

a. props.conf
b. inputs.conf
c. outputs.conf

Answer 169

a. props.conf

Question 170

There are additional forwarding options for intermediate forwarders. One is ________. This is configured in outputs.conf and guards against loss of forwarded data.

a. Indexer acknowledgement to forwarder
b. Securing the feed
c. Compressing the feed
d. Send the feed over HTTP
e. Forwarder queue size
f. Automatic load balancing to multiple indexers

Answer 170

a. Indexer acknowledgement to forwarder

Question 171

There are additional forwarding options for intermediate forwarders. One is ________. When a forwarder can’t reach an indexer, it automatically attempts to reach another one. If it can’t reach any indexers it is queued on the forwarder.

a. Indexer acknowledgement to forwarder
b. Securing the feed
c. Compressing the feed
d. Send the feed over HTTP
e. Forwarder queue size
f. Automatic load balancing to multiple indexers

Answer 171

e. Forwarder queue size

Question 172

If the forwarder is set to send its data to 2 indexers at 30 second intervals, does it switch exactly at the 30th second?

Answer 172

Not always. To prevent sending a partial event to an indexer, the forwarder waits for an EOF or a pause in I/O activity before it switches.

Question 173

True or False. Turning SSL on between the forwarder and the receiver automatically compresses the feed.

Answer 173

True

Question 174

What configuration file on the forwarder defines where data is to be forwarded to?

Answer 174

outputs.conf

Question 175

Which installer will the System Admin use to install the heavy forwarder?

Answer 175

Splunk Enterprise

Question 176

True or False. The UF and the HF can be used to mask data before transmitting to indexers.

Answer 176

False. Only the HF, specifically a Splunk Enterprise instance, can perform data masking.

Question 177

There are 3 deployment server components. This component contains configuration files (such as inputs.conf) packaged as apps to be deployed to the deployment clients.

a. deployment apps
b. deployment clients
c. server class

Answer 177

a. deployment apps

Question 178

There are 3 deployment server components. This component contains groupings of deployment clients, it defines what apps should be deployed to which clients, and is saved in serverclass.conf

a. deployment apps
b. deployment clients
c. server class

Answer 178

c. server class

Question 179

There are 3 deployment server components. This component is a Splunk instance (Enterprise or UF) that is connected to the deployment server and phones home.

a. deployment apps
b. deployment clients
c. server class

Answer 179

b. deployment clients

Question 180

A ___ ___ maps groups of clients to deployment apps. It can be based on a client name, host name, IP address, DNS name, or machine types.

Answer 180

server class

Question 181

What component in a Splunk environment are typically used as deployment clients?

a. indexers
b. search heads
c. forwarders

Answer 181

c. forwarders

Question 182

What is the default home phone setting (in terms of time) on a deployment client?

Answer 182

60 seconds

Question 183

Deployment client settings can be managed centrally by moving the ______.conf settings from etc/system/local/
to etc/apps/DC_app/local/.

Answer 183

deployment client

Question 184

Apps in the …/etc/apps folder are for the ____ ___ and

apps in the …/etc/deployment-apps are apps for deployment to a ______.

Answer 184

deployment server

client

Question 185

When an app is deployed from the Deployment Server to the client, by default you will find the app in the _____ folder on the client.

Answer 185

SPLUNK_HOME/etc/apps

Question 186

True or False. Clients poll the DS on port 9997.

Answer 186

False. Clients poll the DS on port 8089.

Question 187

You can use the ____.conf file to monitor files and directories with the Splunk platform. Monitoring ____ define a single file as the source with input settings (i.e. sourcetype, index, host, etc). Monitoring ____ involves repeatedly traveling through directories and monitoring all discovered files. (Note: Choose from directory or file for blank #2 and #3)

Answer 187

inputs.conf
files
directories

Question 188

True or False. When monitoring input options in inputs.conf, the source is defined by placing it after “monitor://” in the stanza header.

Answer 188

True

Question 189

There are additional options that you can use in the inputs.conf file to monitor files and directories. One is _____. This is when Splunk ignores a file’s existing content, and indexes new data as it arrives.

a. followTail
b. Whitelist and Blacklist
c. ignoreOlderThan

Answer 189

followTail

Question 190

There are additional options that you can use in the inputs.conf file to monitor files and directories. One is _____. With this option, only events after the time window are indexed (i.e. only events since 60 days ago with ignoreOlderThan = 60d).

a. followTail
b. Whitelist and Blacklist
c. ignoreOlderThan

Answer 190

c. ignoreOlderThan

Question 191

There are additional options that you can use in the inputs.conf file to monitor files and directories. One is _____. Regular expressions are used to filter files or directories from the input. If there is a conflict, the blacklist prevails.

a. followTail
b. Whitelist and Blacklist
c. ignoreOlderThan

Answer 191

b. Whitelist and Blacklist

Question 192

Does the inputs.conf file on the deployment server or forwarders change existing ingested data or re-index it? Why?

Answer 192

No. It only applies changes to new data.

Question 193

True or False. You can use the wildcards, … and * in the whitelist and blacklist.

Answer 193

False. The wildcards, … and * are meant for the stanzas.

Question 194

True or False. The host_regex setting in inputs.conf can extract the host from the filename only.

Answer 194

False. It can extract the host from the path of the file.

Question 195

After a file monitor is set up and is running, if you change the host value, will the new host value be reflected for already ingested data?

Answer 195

No. All changes apply to the new data only. To reflect changes for your old data, you need to delete and re-ingest the old data.

Question 196

In our environment, we have a UF, an Indexer and a SH. Which instance contains the fishbucket?

Answer 196

Each instance will have its own local fishbucket.

Question 197

_____ inputs input data that is sent to a Splunk instance on a TCP/UDP port (i.e. Syslog). These inputs create a layer of resiliency (buffering, load balancing, cloning, indexer restarts), and can minimize indexer workload by managing network connections on the forwarder.

a. file inputs
b. network inputs
c. directory inputs

Answer 197

b. network inputs

Question 198

When creating a host for network inputs, you have to set inputs.conf with the connection_host. One type of host that can be used is ____ (the default of UDP inputs). This type of host is set to the originating host’s IP address.

a. none
b. ip
c. dns

Answer 198

b. ip

Question 199

When creating a host for network inputs, you have to set inputs.conf with the connection_host. One type of host that can be used is ____ (Custom in the UI). This type of host requires explicit setting the host value.

a. none
b. ip
c. dns

Answer 199

a. none

Question 200

When creating a host for network inputs, you have to set inputs.conf with the connection_host. One type of host that can be used is ____ (default for TCP inputs). This type of host is set to a DNS name using reverse IP lookup.

a. none
b. ip
c. dns

Answer 200

c. dns

Question 201

Network input ______ provide input flow control, and only apply to TCP (transmission Control Protocol), UDP (user datagram protocol), and scripted input. These also control network data bursts, slow resources, or slow forwarding.

Answer 201

queues

Question 202

If indexers can’t be reached in the network input queue (for TCP, UDP, and scripted input), data is stored in the ____ queue. If the ____ is full, data is stored in the ____ queue. If the ____ queue is full, data is stored in the ____ queue. (Note: Answers for blanks 1 and 2 the same, answers for blanks 3 and 4 the same, answer for blank five is different than those before it)

a. output queue
b. persistent queue
c. memory queue

Answer 202

Blank 1, 2:
a. output queue

Blank 3, 4:
c. memory queue

Blank 5:
b. persistent queue

Question 203

Which type of the network input queue is described below? Persistent or memory?

• default queueSize is 500 KB
• buffers data before forwarding
• useful if indexer receives data slower than forwarder is acquiring it
• independent of forwarder’s maxQueueSize attribute

Answer 203

memory queue

Question 204

Which type of the network input queue is described below? Persistent or memory?

• persistentQueueSize is set and doesn’t exist by default
• provides additional, file-system buffering of data
• written to var/run/splunk/…
• really useful for high-volume data and when there is a network outage to indexers

Answer 204

persisten queue

Question 205

Splunk ____ for ____ (SC4S) lowers the burden of getting syslog into Splunk. In other words, Splunk overhead is lowered for improved scaling and distribution.

Answer 205

Connect, Syslog

Question 206

it a Best Practice to send data to a syslog collector that
writes into a directory structure and then have a UF/HF ingest the data from the directory structure because if the UF has to be restarted, the ______ will prevent data loss.

Answer 206

fishbucket

Question 207

It’s possible to use the host value and not the DNS name or IP address for TCP input. You can do so by setting the connection_host to _________ and specifying the host value.

Answer 207

none

Question 208

____ inputs schedule script execution and index the output. They are used by several Splunk apps to gather information from an OS or other server applications.

a. monitored inputs
b. network inputs
c. scripted inputs

Answer 208

c. scripted inputs

Question 209

____ inputs support Shell (.sh), Batch (.bat), PowerShell (.ps1), and Python (.py) scripts.

a. monitored inputs
b. network inputs
c. scripted inputs

Answer 209

c. scripted inputs

Question 210

Before defining ____ input, it has to be developed and tested. During the testing process, you test your script by copying it to Splunk’s bin directory. Then you deploy the script input using a deployment server.

a. monitored inputs
b. network inputs
c. scripted inputs

Answer 210

c. scripted inputs

Question 211

The queueSize and the persistentQueueSize attributes buffer data on the _____ (Splunk component) when the network or indexer is unavailable.

Answer 211

forwarder

Question 212

True or False. Persistent Queue and Memory Queue can be applied to Network as well as Scripted inputs.

Answer 212

True

Question 213

True or False. An interval setting for scripted inputs can be specified in cron syntax.

Answer 213

True. The interval can be specified in either number of seconds or cron syntax.

Question 214

A ____ _____ ____ (HEC) is a token based HTTP input that sends events to Splunk without forwarders (such as log from a data web browser, automation scripts, or mobile apps)

Answer 214

HTTP Event Collector

Question 215

Splunk ____ for ____ is an alternative way to collect difficult inputs (i.e. database servers without forwarders, network traffic that’s not visible to logs)

Answer 215

App, Stream (Splunk App for Stream)

Question 216

True or False. Event Collector can be set up on a UF.

Answer 216

False. Event collector can be set up on an Indexer or HF.

Question 217

True or False. Data can be sent in json or any raw data format to the event collector.

Answer 217

True

Question 218

_____ Inputs on Linux supports the journalctl command for viewing logs that are collected by systems. It collects thousands of events per second with minimal impact.

a. monitored inputs
b. network inputs
c. scripted inputs
d. operating system inputs
e. JournalD inputs

Answer 218

e. JournalD inputs

Question 219

What type of input is the JournalID Inputs on Linux?

a. monitored input
b. network input
c. scripted input
d. operating system input

Answer 219

d. operating system input

Question 220

True or False. JournalD input only requires Splunk Enterprise 8.1 and inputs.conf settings.

Answer 220

True

Question 221

True or False. Windows input from a Windows UF must be forwarded to an Indexer running Windows.

Answer 221

False. Any platform indexer can be used.

Question 222

True or False. You can collect Active Directory data from a Server remotely using wmi.conf.

Answer 222

False. Only event logs and performance monitoring logs can be collected using wmi.conf.

Question 223

This part of the index-time process is handled at the source (typically a forwarder). Data sources are opened and read, and data is handled in streams.

a. parsing phase
b. input phase
c. indexing phase

Answer 223

b. input phase

Question 224

This part of the index-time process is handled either by an indexer or a heavy forwarder. Data is broken up into events and advanced processing is performed.

a. parsing phase
b. input phase
c. indexing phase

Answer 224

a. parsing phase

Question 225

This part of the index-time process is handled by indexers. Data is written to disk prior to compression. After data is written, it cannot be changed.

a. parsing phase
b. input phase
c. indexing phase

Answer 225

c. indexing phase

Question 226

Event ____ distinguish where events begin and end. This takes place during the parsing phase.

Answer 226

boundaries

Question 227

Line ___ splits the incoming stream of data into separate lines. Line _____ on the other hand, Merges separate lines to make individual events.

a. line merging
b. line breaking

Answer 227

a. line breaking

b. line merging

Question 228

Custom timestamp extraction is specified in which configuration file?

a. inputs.conf
b. outputs.conf
c. props.conf

Answer 228

c. props.conf

Question 229

The following syntax improves efficiency of timestamp event extraction. It specifies how many _____ to look for a timestamp.

MAX_TIMESTAMP_LOOKAHEAD =

Answer 229

characters

Question 230

Before indexing data, sometimes it will need to be modified. An example of this is when there are cases of privacy concerns (financial information, healthcare, etc).

Splunk provides two methods of raw data transformations – SEDCMD and TRANSFORMS. _____ uses props.conf, and masks/truncates raw data. On the other hand, _________ uses props.conf and transforms.conf, and transforms events that match based on source, source type, or host.

Answer 230

SEDCMD

TRANSFORMS

Question 231

There are two methods of raw data transformations –SEDCMD and TRANSFORMS. Which method provides “search and replace” using regular expressions and substitutions? An example of this is hiding the first few numbers of an account.

Answer 231

SEDCMD

Question 232

There are two methods of raw data transformations –SEDCMD and TRANSFORMS. Which method is based on REGEX pattern matches?

Answer 232

TRANSFORMS

Question 233

There are four types of lookups. This type uses a CSV file stored in the lookups directory.

a. external
b. file-based
c. KV Store
d. geospatial

Answer 233

b. file-based

Question 234

There are four types of lookups. This type requires collections.conf that defines fields.

a. external
b. file-based
c. KV Store
d. geospatial

Answer 234

c. KV Store

Question 235

There are four types of lookups. This type uses a python script or an executable in the bin directory.

a. external
b. file-based
c. KV Store
d. geospatial

Answer 235

a. external

Question 236

There are four types of lookups. This type uses a kmz saved in the lookups directory to support the choropleth visualization.

a. external
b. file-based
c. KV Store
d. geospatial

Answer 236

d. geospatial

Question 237

____ ___ are stored in configuration files like macros.conf, tags.conf, eventtypes.conf, and savedsearches.conf.

Answer 237

Knowledge Objects

Question 238

____ knowledge objects are knowledge objects that do not have an owner. This occurs when a Splunk account is deactivated and the KOs associated with that account remain in the system.

However they can cause performance problems and security concerns.

Answer 238

orphaned