Test 1

Question 1

Which parent directory contains the configuration files in Splunk?

A. $SPLUNK_HOME/etc
B. $SPLUNK_HOME/var
C. $SPLUNK_HOME/conf
D. $SPLUNK_HOME/default

Answer 1

A. $SPLUNK_HOME/etc

Question 2

Which forwarder type can parse data prior to forwarding?
A. Universalforwarder B. Heaviestforwarder C. Hyper forwarder
D. Heavyforwarder

Answer 2

D. Heavyforwarder

Question 3

Which Splunk component consolidates the individual results and prepares reports in a distributed environment?
A. Indexers
B. Forwarder
C. Search head 
D. Search peers

Answer 3

A. Indexers

Question 4

Where should apps be located on the deployment server that the clients pull from?
A. $SPLUNK_HOME/etc/apps
B. $SPLUNK_HOME/etc/search
C. $SPLUNK_HOME/etc/master-apps
D. $SPLUNK_HOME/etc/deployment-apps

Answer 4

A. $SPLUNK_HOME/etc/apps

Question 5

This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf [monitor:///var/log/messages]
sourcetype=syslog
index=syslog

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file

/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf [monitor:///var/log/maillog]
sourcetype=maillog
index=syslog
Which file is now monitored?
A. /var/log/messages
B. /var/log/maillog
C. /var/log/maillog and /var/log/messages 
D. none of the above

Answer 5

C. /var/log/maillog and /var/log/messages

Question 6

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?
A. Slashnotation
B. Regularexpression
C. Irregular expression
D. Wildcard-onlyexpression

Answer 6

B. Regularexpression

Question 7

What is required when adding a native user to Splunk? (Select all that apply.) A. Password
B. Username
C. Full Name
D. Default app

Answer 7

C. Full Name

D. Default app

Question 8

What are the minimum required settings when creating a network input in Splunk?
A. Protocol,portnumber
B. Protocol,port,location C. Protocol, username, port D. Protocol, IP, port number

Answer 8

A. Protocol,portnumber

Question 9

Which Splunk component requires a Forwarder license?
A. Searchhead
B. Heavyforwarder
C. Heaviest forwarder D. Universal forwarder

Answer 9

B. Heavyforwarder

Question 10

Which optional configuration setting in inputs.conf allows you to selectively forward the data to specific indexer(s)?
A. _TCP_ROUTING
B. _INDEXER_LIST
C. _INDEXER_GROUP
D. _INDEXER_ROUTING

Answer 10

A. _TCP_ROUTING

Question 11

To set up a network input in Splunk, what needs to be specified?
A. Filepath.
B. Usernameandpassword.
C. Network protocol and port number. D. Network protocol and MAC address.

Answer 11

A. Filepath

Question 12

During search time, which directory of configuration files has the highest precedence?
A. $SPLUNK_HOME/etc/system/local
B. $SPLUNK_HOME/etc/system/default 
C. $SPLUNK_HOME/etc/apps/app1/local
D. $SPLUNK_HOME/etc/users/admin/local

Answer 12

C. $SPLUNK_HOME/etc/apps/app1/local

Question 13

Within props.conf, which stanzas are valid for data modification? (Select all that apply.)
A. Host
B. Server
C. Source
D. Sourcetype

Answer 13

C. Source

D. Sourcetype

Question 14

What is the correct order of steps in Duo Multifactor Authentication?
A. 1.RequestLogin
     2. Connect to SAML server 
     3. Duo MFA
     4. Create User session
     5. Authentication Granted 
     6. Log into Splunk
B. 1.RequestLogin 
     2. Duo MFA
     3. Authentication Granted 
     4. Connect to SAML server 
     5. Log into Splunk
     6. Create User session
C. 1. Request Login
     2. Check authentication / group mapping 
     3. Authentication Granted
     4. Duo MFA
     5. Create User session
     6. Log into Splunk
D. 1. Request Login 
     2. Duo MFA
     3. Check authentication / group mapping                    
     4. Create User session
     5. Authentication Granted
     6. Log into Splunk

Answer 14

C. 1. Request Login
     2. Check authentication / group. 
          mapping 
     3. Authentication Granted
     4. Duo MFA
     5. Create User session
     6. Log into Splunk

Question 15

Which of the following enables compression for universal forwarders in outputs.conf? A. [udpout:mysplunk_indexer11]
compression=true
B. [tcpout] defaultGroup=my_indexers compressed=true
C. /opt/splunkforwarder/bin/splunk enable compression
D. [tcpount:my_indexers] server=mysplunk_indexer1:9997, mysplunk_indexer2:9997
decompression=false

Answer 15

B. [tcpout] defaultGroup=my_indexers compressed=true

Question 16

User role inheritance allows what to be inherited from the parent role? (Select all that apply.)

A. Parents
B. Capabilities
C. Index access
D. Search history

Answer 16

B. Capabilities

Question 17

Which of the following statements apply to directory inputs? (Select all that apply.)
A. Alldiscoveredtextfilesareconsumed.
B. Compressedfilesareignoredbydefault.
C. Splunk recursively traverses through the directory structure.
D. When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer 17

C. Splunk recursively traverses through the directory structure.

Question 18

Which of the following is a valid distributed search group? A. [distributedSearch:Paris]
default = false
servers = server1, server2
B. [searchGroup:Paris]
default = false
servers = server1:8089, server2:8089
C. [searchGroup:Paris]
default = false
servers = server1:9997, server2:9997
D. [distributedSearch:Paris]
default = false
servers = server1:8089; server2:8089

Answer 18

D. [distributedSearch:Paris]
default = false
servers = server1:8089; server2:8089

Question 19

Local user accounts created in Splunk store passwords in which file?
A. $SPLUNK_HOME/etc/passwd
B. $SPLUNK_HOME/etc/authentication
C. $SPLUNK_HOME/etc/users/passwd.conf
D. $SPLUNK_HOME/etc/users/authentication.conf

Answer 19

A. $SPLUNK_HOME/etc/passwd

Question 20

For single line event sourcetypes, it is most efficient to set SHOULD_LINEMERGE to what value?
A. True 
B. False
C. 
D. Newline Character

Answer 20

B. False

Question 21

Which Splunk component does a search head primarily communicate with?
A. Indexer
B. Forwarder
C. Cluster master
D. Deployment server

Answer 21

A. Indexer

Question 22

Which layers are involved in Splunk configuration file layering? (Select all that apply.)
A. Appcontext
B. Usercontext
C. Global context
D. Forwarder context

Answer 22

A. Appcontext

C. Global context

Question 23

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?
A. AnyOSplatform.
B. Linux platform only.
C. Windows platform only. 
D. None of the above.

Answer 23

C. Windows platform only.

Question 24

What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events?
A. REGEX,DEST,FORMAT
B. REGEX,SRC_KEY,FORMAT
C. REGEX, DEST_KEY, FORMAT
D. REGEX, DEST_KEY, FORMATTING

Answer 24

C. REGEX, DEST_KEY, FORMAT

Question 25

Which of the following indexes come pre-configured with Splunk Enterprise? (Select all that apply.)
A. _licence
B. _internal
C. _external
D. _thefishbucket

Answer 25

B. _internal

Question 26

How often does Splunk recheck the LDAP server?
A. Every5minutes.
B. Eachtimeauserlogsin.
C. Each time Splunk is restarted.
D. Varies based on LDAP_refresh setting.

Answer 26

D. Varies based on LDAP_refresh setting.

Question 27

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?
A.To ensure that hot buckets are still open for writers and have not been forced to roll to a cold state.
B. To ensure that configuration files have not been tampered with for auditing and/or legal purposes. C. To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
D. To ensure that data has not been tampered with for auditing and/or legal purposes.

Answer 27

D. To ensure that data has not been tampered with for auditing and/or legal purposes.

Question 28

Which Splunk component performs indexing and responds to search requests from the search head?
A. Forwarder
B. Searchpeer
C. License master
D. Search head cluster

Answer 28

B. Searchpeer