Test 1 Flashcards

1
Q

Which parent directory contains the configuration files in Splunk?

A. $SPLUNK_HOME/etc
B. $SPLUNK_HOME/var
C. $SPLUNK_HOME/conf
D. $SPLUNK_HOME/default

A

A. $SPLUNK_HOME/etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Which forwarder type can parse data prior to forwarding?
A. Universalforwarder B. Heaviestforwarder C. Hyper forwarder
D. Heavyforwarder

A

D. Heavyforwarder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q
Which Splunk component consolidates the individual results and prepares reports in a distributed environment?
A. Indexers
B. Forwarder
C. Search head 
D. Search peers
A

A. Indexers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q
Where should apps be located on the deployment server that the clients pull from?
A. $SPLUNK_HOME/etc/apps
B. $SPLUNK_HOME/etc/search
C. $SPLUNK_HOME/etc/master-apps
D. $SPLUNK_HOME/etc/deployment-apps
A

A. $SPLUNK_HOME/etc/apps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf [monitor:///var/log/messages]
sourcetype=syslog
index=syslog

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file

/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf [monitor:///var/log/maillog]
sourcetype=maillog
index=syslog
Which file is now monitored?
A. /var/log/messages
B. /var/log/maillog
C. /var/log/maillog and /var/log/messages 
D. none of the above
A

C. /var/log/maillog and /var/log/messages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?
A. Slashnotation
B. Regularexpression
C. Irregular expression
D. Wildcard-onlyexpression
A

B. Regularexpression

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is required when adding a native user to Splunk? (Select all that apply.) A. Password
B. Username
C. Full Name
D. Default app

A

C. Full Name

D. Default app

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are the minimum required settings when creating a network input in Splunk?
A. Protocol,portnumber
B. Protocol,port,location C. Protocol, username, port D. Protocol, IP, port number

A

A. Protocol,portnumber

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Which Splunk component requires a Forwarder license?
A. Searchhead
B. Heavyforwarder
C. Heaviest forwarder D. Universal forwarder

A

B. Heavyforwarder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
Which optional configuration setting in inputs.conf allows you to selectively forward the data to specific indexer(s)?
A. _TCP_ROUTING
B. _INDEXER_LIST
C. _INDEXER_GROUP
D. _INDEXER_ROUTING
A

A. _TCP_ROUTING

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

To set up a network input in Splunk, what needs to be specified?
A. Filepath.
B. Usernameandpassword.
C. Network protocol and port number. D. Network protocol and MAC address.

A

A. Filepath

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
During search time, which directory of configuration files has the highest precedence?
A. $SPLUNK_HOME/etc/system/local
B. $SPLUNK_HOME/etc/system/default 
C. $SPLUNK_HOME/etc/apps/app1/local
D. $SPLUNK_HOME/etc/users/admin/local
A

C. $SPLUNK_HOME/etc/apps/app1/local

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q
Within props.conf, which stanzas are valid for data modification? (Select all that apply.)
A. Host
B. Server
C. Source
D. Sourcetype
A

C. Source

D. Sourcetype

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
What is the correct order of steps in Duo Multifactor Authentication?
A. 1.RequestLogin
     2. Connect to SAML server 
     3. Duo MFA
     4. Create User session
     5. Authentication Granted 
     6. Log into Splunk
B. 1.RequestLogin 
     2. Duo MFA
     3. Authentication Granted 
     4. Connect to SAML server 
     5. Log into Splunk
     6. Create User session
C. 1. Request Login
     2. Check authentication / group mapping 
     3. Authentication Granted
     4. Duo MFA
     5. Create User session
     6. Log into Splunk
D. 1. Request Login 
     2. Duo MFA
     3. Check authentication / group mapping                    
     4. Create User session
     5. Authentication Granted
     6. Log into Splunk
A
C. 1. Request Login
     2. Check authentication / group. 
          mapping 
     3. Authentication Granted
     4. Duo MFA
     5. Create User session
     6. Log into Splunk
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Which of the following enables compression for universal forwarders in outputs.conf? A. [udpout:mysplunk_indexer11]
compression=true
B. [tcpout] defaultGroup=my_indexers compressed=true
C. /opt/splunkforwarder/bin/splunk enable compression
D. [tcpount:my_indexers] server=mysplunk_indexer1:9997, mysplunk_indexer2:9997
decompression=false

A

B. [tcpout] defaultGroup=my_indexers compressed=true

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

User role inheritance allows what to be inherited from the parent role? (Select all that apply.)

A. Parents
B. Capabilities
C. Index access
D. Search history

A

B. Capabilities

17
Q

Which of the following statements apply to directory inputs? (Select all that apply.)
A. Alldiscoveredtextfilesareconsumed.
B. Compressedfilesareignoredbydefault.
C. Splunk recursively traverses through the directory structure.
D. When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

A

C. Splunk recursively traverses through the directory structure.

18
Q
Which of the following is a valid distributed search group? A. [distributedSearch:Paris]
default = false
servers = server1, server2
B. [searchGroup:Paris]
default = false
servers = server1:8089, server2:8089
C. [searchGroup:Paris]
default = false
servers = server1:9997, server2:9997
D. [distributedSearch:Paris]
default = false
servers = server1:8089; server2:8089
A

D. [distributedSearch:Paris]
default = false
servers = server1:8089; server2:8089

19
Q

Local user accounts created in Splunk store passwords in which file?
A. $SPLUNK_HOME/etc/passwd
B. $SPLUNK_HOME/etc/authentication
C. $SPLUNK_HOME/etc/users/passwd.conf
D. $SPLUNK_HOME/etc/users/authentication.conf

A

A. $SPLUNK_HOME/etc/passwd

20
Q
For single line event sourcetypes, it is most efficient to set SHOULD_LINEMERGE to what value?
A. True 
B. False
C. 
D. Newline Character
A

B. False

21
Q
Which Splunk component does a search head primarily communicate with?
A. Indexer
B. Forwarder
C. Cluster master
D. Deployment server
A

A. Indexer

22
Q
Which layers are involved in Splunk configuration file layering? (Select all that apply.)
A. Appcontext
B. Usercontext
C. Global context
D. Forwarder context
A

A. Appcontext

C. Global context

23
Q
Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?
A. AnyOSplatform.
B. Linux platform only.
C. Windows platform only. 
D. None of the above.
A

C. Windows platform only.

24
Q
What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events?
A. REGEX,DEST,FORMAT
B. REGEX,SRC_KEY,FORMAT
C. REGEX, DEST_KEY, FORMAT
D. REGEX, DEST_KEY, FORMATTING
A

C. REGEX, DEST_KEY, FORMAT

25
Q
Which of the following indexes come pre-configured with Splunk Enterprise? (Select all that apply.)
A. _licence
B. _internal
C. _external
D. _thefishbucket
A

B. _internal

26
Q
How often does Splunk recheck the LDAP server?
A. Every5minutes.
B. Eachtimeauserlogsin.
C. Each time Splunk is restarted.
D. Varies based on LDAP_refresh setting.
A

D. Varies based on LDAP_refresh setting.

27
Q

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?
A.To ensure that hot buckets are still open for writers and have not been forced to roll to a cold state.
B. To ensure that configuration files have not been tampered with for auditing and/or legal purposes. C. To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
D. To ensure that data has not been tampered with for auditing and/or legal purposes.

A

D. To ensure that data has not been tampered with for auditing and/or legal purposes.

28
Q
Which Splunk component performs indexing and responds to search requests from the search head?
A. Forwarder
B. Searchpeer
C. License master
D. Search head cluster
A

B. Searchpeer