Test 2

Question 1

Which setting in indexes.conf allows data retention to be controlled by time?
A. maxDaysToKeep
B. moveToFrozenAfter
C. maxDataRetentionTime 
D. frozenTimePeriodInSecs

Answer 1

D. frozenTimePeriodInSecs

Question 2

The universal forwarder has which capabilities when sending data? (Select
all that apply.)
A. Sendingalerts
B. Compressingdata
C. Obfuscating/hiding data 
D. Indexer acknowledgement

Answer 2

D. Indexer acknowledgement

Question 3

In case of a conflict between a whitelist and a blacklist input setting, which
one is used?
A. Blacklist
B. Whitelist
C. They cancel each other out.
D. Whicheverisenteredintotheconfigurationfirst.

Answer 3

A. Blacklist

Question 4

In which Splunk configuration is the SEDCMD used?

A. props.conf
B. inputs.conf
C. indexes.conf
D. transforms.conf

Answer 4

A. props.conf

Question 5

Which of the following are supported configuration methods to add inputs on a forwarder? (Select
all that apply.)
A. CLI
B. Editinputs.conf
C. Edit forwarder.conf 
D. Forwarder Management

Answer 5

B. Editinputs.conf

Question 6

Which parent directory contains the configuration
files in Splunk?
A. $SPLUNK_HOME/etc
B. $SPLUNK_HOME/var
C. $SPLUNK_HOME/conf
D. $SPLUNK_HOME/default

Answer 6

A. $SPLUNK_HOME/etc

Question 7

Which forwarder type can parse data prior
to forwarding?
A. Universalforwarder 
B. Heaviestforwarder 
C. Hyperforwarder
D. Heavyforwarder

Answer 7

D. Heavyforwarder

Question 8

Which Splunk component consolidates the individual results and prepares reports in a distributed environment?
A. Indexers
B. Forwarder
C. Search head D. Search peers

Answer 8

A. Indexers

Question 9

Which Splunk component distributes apps and certain other configuration updates to search head cluster
members?
A. Deployer
B. Clustermaster
C. Deployment server
D. Search head cluster master

Answer 9

A. Deployer

Question 10

Where should apps be located on the deployment server that the
clients pull from?
A. $SPLUNK_HOME/etc/apps
B. $SPLUNK_HOME/etc/search
C. $SPLUNK_HOME/etc/master-apps
D. $SPLUNK_HOME/etc/deployment-apps

Answer 10

A. $SPLUNK_HOME/etc/apps

Question 11

This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf [monitor:///var/log/messages]
sourcetype=syslog
index=syslog
A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file: /opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
monitor:///var/log/maillog] sourcetype=maillog index=syslog
Which file is now monitored?
A. /var/log/messages
B. /var/log/maillog
C. /var/log/maillog and /var/log/messages D. none of the above

Answer 11

C. /var/log/maillog and /var/log/messages

Question 12

In which phase of the index time process does the license
metering occur?
A. Input phase
B. Parsingphase 
C. Indexing phase 
D. Licensing phase

Answer 12

C. Indexing phase

Question 13

You update a props.conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btool props list –-debug. What will the output be?
A. A list of all the configurations on-disk that Splunk contains.
B. A verbose list of all configurations as they were when splunkd started.
C. A list of props.conf configurations as they are on-disk along with a file path from which the configuration is located.
D. A list of the current running props.conf configurations along with a file path from which the configuration was made.

Answer 13

D. A list of the current running props.conf configurations along with a file path from which the configuration was made.

Question 14

When running the command shown below, what is the default path in which deploymentserver.conf is created? splunk set deploy-poll deployServer:port
A. SPLUNK_HOME/etc/deployment
B. SPLUNK_HOME/etc/system/local
C. SPLUNK_HOME/etc/system/default 
D. SPLUNK_HOME/etc/apps/deployment

Answer 14

B. SPLUNK_HOME/etc/system/local

Question 15

The priority of layered Splunk configuration files depends on the file’s:
A. Owner
B. Weight
C. Context
D. Creation time

Answer 15

C. Context

Question 16

When configuring monitor inputs with whitelists or blacklists, what is the supported method of
filtering the lists?
A. Slashnotation
B. Regular expression
C. Irregular expression
D. Wildcard-only expression

Answer 16

B. Regular expression

Question 17

What is required when adding a native user to Splunk? (Select
all that apply.)
A. Password 
B. Username 
C. Full Name 
D. Default app

Answer 17

C. Full Name

D. Default app

Question 18

What are the minimum required settings when creating a network
input in Splunk?
A. Protocol,portnumber 
B. Protocol,port,location
C. Protocol, username, port 
D. Protocol, IP, port number

Answer 18

A. Protocol,portnumber

Question 19

Which Splunk component requires a
Forwarder license?
A. Searchhead
B. Heavyforwarder
C. Heaviest forwarder 
D. Universal forwarder

Answer 19

B. Heavyforwarder

Question 20

Which optional configuration setting in inputs.conf allows you to selectively forward the data to specific
indexer(s)?
A. _TCP_ROUTING
B. _INDEXER_LIST
C. _INDEXER_GROUP 
D. _INDEXER_ROUTING

Answer 20

A. _TCP_ROUTING

Question 21

To set up a network input in Splunk, what needs
to be specified?
A. Filepath.
B. Usernameandpassword.
C. Network protocol and port number. 
D. Network protocol and MAC address.

Answer 21

A. Filepath

Question 22

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

A. Universal forwarder
B. Parsingforwarder
C. Heavyforwarder
D. Advancedforwarder

Answer 22

C. Heavyforwarder

Question 23

Which of the following statements describe deployment management? (Select all that apply.)
A. Requires an Enterprise license.
B. Is responsible for sending apps to forwarders.
C. Once used, is the only way to manage forwarders.
D. Can automatically restart the host OS running the forwarder.

Answer 23

A. Requires an Enterprise license

Question 24

During search time, which directory of configuration files has the highest
precedence?
A. $SPLUNK_HOME/etc/system/local
B. $SPLUNK_HOME/etc/system/default
C. $SPLUNK_HOME/etc/apps/app1/local 
D. $SPLUNK_HOME/etc/users/admin/local

Answer 24

C. $SPLUNK_HOME/etc/apps/app1/local

Question 25

Within props.conf, which stanzas are valid for data modification? (Select
all that apply.)
A. Host
B. Server
C. Source
D. Sourcetype

Answer 25

C. Source

D. Sourcetype

Question 26

What is the correct order of steps in Duo Multifactor Authentication?
A. 1. Request Login
2. Connect to SAML server
3. Duo MFA
4. Create User session
5. Authentication Granted
6. Log into Splunk

B. 1. Request Login

2. Duo MFA
3. Authentication Granted
4. Connect to SAML server
5. Log into Splunk
6. Create User session

C. 1. Request Login

2. Check authentication / group mapping
3. Authentication Granted
4. Duo MFA
5. Create User session
6. Log into Splunk

D. 1. Request Login

2. Duo MFA
3. Check authentication / group mapping 4. Create User session
4. Authentication Granted
5. Log into Splunk

Answer 26

C. 1. Request Login

2. Check authentication / group mapping
3. Authentication Granted
4. Duo MFA
5. Create User session
6. Log into Splunk

Question 27

Where can scripts for scripted inputs reside on the host file system? (Select
all that apply.)
A. $SPLUNK_HOME/bin/scripts
B. $SPLUNK_HOME/etc/apps/bin
C. $SPLUNK_HOME/etc/system/bin
D. $SPLUNK_HOME/etc/apps//bin

Answer 27

A. $SPLUNK_HOME/bin/scripts
C. $SPLUNK_HOME/etc/system/bin
D. $SPLUNK_HOME/etc/apps//bin

Question 28

How does the Monitoring Console
monitor forwarders?
A. By pulling internal logs from forwarders.
B. Byusingtheforwardermonitoringadd-on.
C. Withinternallogsforwardedbyforwarders.
D. With internal logs forwarder by deployment server.

Answer 28

A. By pulling internal logs from forwarders

Question 29

What options are available when creating custom roles? (Select
all that apply.)
A. Restrictsearchterms.
B. Whitelistsearchterms.
C. Limit the number of concurrent search jobs.
D. Allow or restrict indexes that can be searched.

Answer 29

A. Restrict search terms.

D. Allow or restrict indexes that can be searched.

Question 30

Which of the following are supported options when configuring optional
network inputs?
A. Metadata override,sender filtering options,network input queues(quantum queues)
B. Metadata override,sender filtering options,network input queues(memory/persistent queues)
C. Filename override, sender filtering options, network output queues (memory/persistent queues)
D. Metadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer 30

D. Metadata override, receiver filtering options, network input queues (memory/persistent queues)

Question 31

What is the default character encoding used by Splunk during
the input phase?
A. UTF-8
B. UTF-16 
C. EBCDIC 
D. ISO 8859

Answer 31

A. UTF-8

Question 32

Which of the following enables compression for universal forwarders in outputs.conf?
A. [udpout:mysplunk_indexer11] compression=true
B. [tcpout] defaultGroup=my_indexers compressed=true
C. /opt/splunkforwarder/bin/splunk enable compression
D. [tcpount:my_indexers] server=mysplunk_indexer1:9997, mysplunk_indexer2:9997
decompression=false

Answer 32

B. [tcpout] defaultGroup=my_indexers compressed=true

Question 33

User role inheritance allows what to be inherited from the parent role? (Select
all that apply.)
A. Parents
B. Capabilities 
C. Index access 
D. Search history

Answer 33

B. Capabilities

Question 34

Which of the following statements apply to directory inputs? (Select
all that apply.)
A. All discovered text files are consumed.
B. Compressed files are ignored by default.
C. Splunk recursively traverses through the directory structure.
D. When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer 34

C. Splunk recursively traverses through the directory structure.

Question 35

How would you configure your distsearch.conf to allow you to run the
search below?
sourcetype=access_combined status=200 action=purchase splunk_server_group=HOUSTON
A. [distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = false
servers = houston1:8089, houston2:8089
B. [distributedSearch] servers =nyc1, nyc2, houston1, houston2 [distributedSearch:NYC] default = false servers = nyc1, nyc2 [distributedSearch:HOUSTON]
default = false servers = houston1, houston2
C. [distributedSearch] servers =nyc1:8089, nyc2:8089, houston1:8089, houston2:8089
[distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = false
servers = houston1:8089, houston2:8089
D. [distributedSearch] servers =nyc1:8089; nyc2:8089; houston1:8089; houston2:8089
[distributedSearch:NYC]
default = false servers = nyc1:8089; nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089; houston2:8089

Answer 35

D. [distributedSearch] servers =nyc1:8089; nyc2:8089; houston1:8089; houston2:8089
[distributedSearch:NYC]
default = false servers = nyc1:8089; nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089; houston2:8089

Question 36

Which of the following is a valid distributed
search group?
A. [distributedSearch:Paris] default = false servers = server1, server2
B. [searchGroup:Paris] default = false servers = server1:8089, server2:8089
C. [searchGroup:Paris] default = false servers = server1:9997, server2:9997
D. [distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Answer 36

D. [distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Question 37

Local user accounts created in Splunk store
passwords in which file?
A. $SPLUNK_HOME/etc/passwd
B. $SPLUNK_HOME/etc/authentication
C. $SPLUNK_HOME/etc/users/passwd.conf
D. $SPLUNK_HOME/etc/users/authentication.conf

Answer 37

A. $SPLUNK_HOME/etc/passwd

Question 38

For single line event sourcetypes, it is most efficient to set SHOULD_LINEMERGE to what value?
A. True
B. False
C. 
D. Newline Character

Answer 38

B. False

Question 39

Which Splunk component does a search head primarily
communicate with?
A. Indexer
B. Forwarder
C. Clustermaster
D. Deployment server

Answer 39

A. Indexer

Question 40

Which layers are involved in Splunk configuration file layering? (Select
all that apply.)
A. Appcontext
B. User context
C. Global context
D. Forwarder context

Answer 40

A. Appcontext

C. Global context

Question 41

Which of the following are methods for adding inputs in Splunk? (Select
all that apply.)
A. CLI
B. SplunkWeb
C. Editing inpits.conf 
D. Editing monitor.conf

Answer 41

A. CLI

B. SplunkWeb

Question 42

Which of the following authentication types requires
scripting in Splunk?
A. ADFS 
B. LDAP 
C. SAML 
D. RADIUS

Answer 42

D. RADIUS

Question 43

Which option accurately describes the purpose of the HTTP Event
Collector (HEC)?
A. Atoken-basedHTTPinputthatissecureandscalableandthatrequirestheuseofforwarders.
B. Atoken-basedHTTPinputthatissecureandscalableandthatdoesnotrequiretheuseofforwarders.
C. An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.
D. A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders

Answer 43

B. Atoken-basedHTTPinputthatissecureandscalableandthatdoesnotrequiretheuseofforwarders

Question 44

What is the difference between the two wildcards … and * for the monitor stanza in
inputs.conf?
A. …isnotsupportedinmonitorstanzas.
B. There is no difference,they are interchangeable and match anything beyond directory boundaries.
C. * matches anything in that specific directory path segment, whereas … recurses through subdirectories as well.
D. … matches anything in that specific directory path segment, whereas * recurses through subdirectories as well.

Answer 44

C. * matches anything in that specific directory path segment, whereas … recurses through subdirectories as well.

Question 45

What type of data is counted against the Enterprise license at a fixed 150
bytes per event?
A. License data
B. Metrics data
C. Internal Splunk data 
D. Internal Windows logs

Answer 45

B. Metrics data

Question 46

Which valid bucket types are searchable? (Select
all that apply.)
A. Hot buckets
B. Coldbuckets 
C. Warm buckets 
D. Frozen buckets

Answer 46

A. Hot buckets
B. Coldbuckets
C. Warm buckets

Question 47

How do you remove missing forwarders from the
Monitoring Console?
A. ByrestartingSplunk.
B. Byrescanningactiveforwarders.
C. By reloading the deployment server.
D. By rebuilding the forwarder asset table.

Answer 47

D. By rebuilding the forwarder asset table.

Question 48

Which Splunk indexer operating system platform is supported when sending logs from a Windows
universal forwarder?
A. AnyOSplatform.
B. Linux platform only.
C. Windows platform only. 
D. None of the above.

Answer 48

C. Windows platform only.

Question 49

What are the required stanza attributes when configuring the transforms.conf to manipulate or
remove events?
A. REGEX,DEST,FORMAT
B. REGEX,SRC_KEY,FORMAT
C. REGEX, DEST_KEY, FORMAT
D. REGEX, DEST_KEY, FORMATTING

Answer 49

C. REGEX, DEST_KEY, FORMAT

Question 50

Which of the following indexes come pre-configured with Splunk Enterprise? (Select all that apply.) 
A. _licence
B. _internal
C. _external
D. _thefishbucket

Answer 50

B. _internal

Question 51

How often does Splunk recheck the
LDAP server?
A. Every5minutes.
B. Eachtimeauserlogsin.
C. Each time Splunk is restarted.
D. Varies based on LDAP_refresh setting.

Answer 51

D. Varies based on LDAP_refresh setting.

Question 52

Where are
license files stored?
A. $SPLUNK_HOME/etc/secure
B. $SPLUNK_HOME/etc/system
C. $SPLUNK_HOME/etc/licenses
D. $SPLUNK_HOME/etc/apps/licenses

Answer 52

C. $SPLUNK_HOME/etc/licenses

Question 53

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?
A. To ensure that hot buckets are still open for writers and have not been forced to roll to a cold state.
B. To ensure that configuration files have not been tampered with for auditing and/or legal purposes. C. To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
D. To ensure that data has not been tampered with for auditing and/or legal purposes.

Answer 53

D. To ensure that data has not been tampered with for auditing and/or legal purposes.

Question 54

Which Splunk component performs indexing and responds to search requests from the
search head?
A. Forwarder
B. Searchpeer
C. License master
D. Search head cluster

Answer 54

B. Searchpeer

Question 55

When deploying apps, which attribute in the forwarder management interface determines the apps that
clients install?
A. AppClass
B. ClientClass
C. ServerClass
D. Forwarder Class

Answer 55

C. ServerClass

Question 56

In this source type definition the MAX_TIMESTAMP_LOOKAHEAD ismissing.Whichvalue
would fit best?
[sshd_syslog]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} SHOUD_LINEMERGE = false
TRUNCATE = 0
Event example:
2018-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366

A. MAX_TIMESTAMP_LOOKAHEAD = 5
B. MAX_TIMESTAMP_LOOKAHEAD = 10
C. MAX_TIMESTAMP_LOOKAHEAD = 20
D. MAX_TIMESTAMP_LOOKAHEAD = 30

Answer 56

B. MAX_TIMESTAMP_LOOKAHEAD = 10

Question 57

Which of the following are required when defining an index in indexes.conf? (Select
all that apply.)
A. coldPath 
B. homePath 
C. frozenPath 
D. thawedPath

Answer 57

D. thawedPath

Question 58

Which of the following apply to how distributed search works? (Select
all that apply.)
A. The search head dispatches searches to the peers.
B. The search peers pull the data from the forwarders.
C. Peers run searches in parallel and return their portion of results.
D. The search head consolidates the individual results and prepares reports.

Answer 58

A. The search head dispatches searches to the peers.

Question 59

What hardware attribute would you need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?
A. Disk
B. CPUs
C. Memory
D. Network interface cards

Answer 59

B. CPUs

Question 60

With authentication methods are natively supported within Splunk Enterprise? (Select all that apply.)

A. LDAP
B. SAML
C. RADIUS
D. Duo Multifactor Authentication

Answer 60

A. LDAP

D. Duo Multifactor Authentication