Test 2 Flashcards

1
Q
Which setting in indexes.conf allows data retention to be controlled by time?
A. maxDaysToKeep
B. moveToFrozenAfter
C. maxDataRetentionTime 
D. frozenTimePeriodInSecs
A

D. frozenTimePeriodInSecs

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q
The universal forwarder has which capabilities when sending data? (Select
all that apply.)
A. Sendingalerts
B. Compressingdata
C. Obfuscating/hiding data 
D. Indexer acknowledgement
A

D. Indexer acknowledgement

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

In case of a conflict between a whitelist and a blacklist input setting, which
one is used?
A. Blacklist
B. Whitelist
C. They cancel each other out.
D. Whicheverisenteredintotheconfigurationfirst.

A

A. Blacklist

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

In which Splunk configuration is the SEDCMD used?

A. props.conf
B. inputs.conf
C. indexes.conf
D. transforms.conf

A

A. props.conf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q
Which of the following are supported configuration methods to add inputs on a forwarder? (Select
all that apply.)
A. CLI
B. Editinputs.conf
C. Edit forwarder.conf 
D. Forwarder Management
A

B. Editinputs.conf

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q
Which parent directory contains the configuration
files in Splunk?
A. $SPLUNK_HOME/etc
B. $SPLUNK_HOME/var
C. $SPLUNK_HOME/conf
D. $SPLUNK_HOME/default
A

A. $SPLUNK_HOME/etc

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q
Which forwarder type can parse data prior
to forwarding?
A. Universalforwarder 
B. Heaviestforwarder 
C. Hyperforwarder
D. Heavyforwarder
A

D. Heavyforwarder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which Splunk component consolidates the individual results and prepares reports in a distributed environment?
A. Indexers
B. Forwarder
C. Search head D. Search peers

A

A. Indexers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q
Which Splunk component distributes apps and certain other configuration updates to search head cluster
members?
A. Deployer
B. Clustermaster
C. Deployment server
D. Search head cluster master
A

A. Deployer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q
Where should apps be located on the deployment server that the
clients pull from?
A. $SPLUNK_HOME/etc/apps
B. $SPLUNK_HOME/etc/search
C. $SPLUNK_HOME/etc/master-apps
D. $SPLUNK_HOME/etc/deployment-apps
A

A. $SPLUNK_HOME/etc/apps

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf [monitor:///var/log/messages]
sourcetype=syslog
index=syslog
A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file: /opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
monitor:///var/log/maillog] sourcetype=maillog index=syslog
Which file is now monitored?
A. /var/log/messages
B. /var/log/maillog
C. /var/log/maillog and /var/log/messages D. none of the above

A

C. /var/log/maillog and /var/log/messages

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q
In which phase of the index time process does the license
metering occur?
A. Input phase
B. Parsingphase 
C. Indexing phase 
D. Licensing phase
A

C. Indexing phase

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

You update a props.conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btool props list –-debug. What will the output be?
A. A list of all the configurations on-disk that Splunk contains.
B. A verbose list of all configurations as they were when splunkd started.
C. A list of props.conf configurations as they are on-disk along with a file path from which the configuration is located.
D. A list of the current running props.conf configurations along with a file path from which the configuration was made.

A

D. A list of the current running props.conf configurations along with a file path from which the configuration was made.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q
When running the command shown below, what is the default path in which deploymentserver.conf is created? splunk set deploy-poll deployServer:port
A. SPLUNK_HOME/etc/deployment
B. SPLUNK_HOME/etc/system/local
C. SPLUNK_HOME/etc/system/default 
D. SPLUNK_HOME/etc/apps/deployment
A

B. SPLUNK_HOME/etc/system/local

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q
The priority of layered Splunk configuration files depends on the file’s:
A. Owner
B. Weight
C. Context
D. Creation time
A

C. Context

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q
When configuring monitor inputs with whitelists or blacklists, what is the supported method of
filtering the lists?
A. Slashnotation
B. Regular expression
C. Irregular expression
D. Wildcard-only expression
A

B. Regular expression

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q
What is required when adding a native user to Splunk? (Select
all that apply.)
A. Password 
B. Username 
C. Full Name 
D. Default app
A

C. Full Name

D. Default app

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q
What are the minimum required settings when creating a network
input in Splunk?
A. Protocol,portnumber 
B. Protocol,port,location
C. Protocol, username, port 
D. Protocol, IP, port number
A

A. Protocol,portnumber

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q
Which Splunk component requires a
Forwarder license?
A. Searchhead
B. Heavyforwarder
C. Heaviest forwarder 
D. Universal forwarder
A

B. Heavyforwarder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q
Which optional configuration setting in inputs.conf allows you to selectively forward the data to specific
indexer(s)?
A. _TCP_ROUTING
B. _INDEXER_LIST
C. _INDEXER_GROUP 
D. _INDEXER_ROUTING
A

A. _TCP_ROUTING

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q
To set up a network input in Splunk, what needs
to be specified?
A. Filepath.
B. Usernameandpassword.
C. Network protocol and port number. 
D. Network protocol and MAC address.
A

A. Filepath

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

A. Universal forwarder
B. Parsingforwarder
C. Heavyforwarder
D. Advancedforwarder

A

C. Heavyforwarder

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which of the following statements describe deployment management? (Select all that apply.)
A. Requires an Enterprise license.
B. Is responsible for sending apps to forwarders.
C. Once used, is the only way to manage forwarders.
D. Can automatically restart the host OS running the forwarder.

A

A. Requires an Enterprise license

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q
During search time, which directory of configuration files has the highest
precedence?
A. $SPLUNK_HOME/etc/system/local
B. $SPLUNK_HOME/etc/system/default
C. $SPLUNK_HOME/etc/apps/app1/local 
D. $SPLUNK_HOME/etc/users/admin/local
A

C. $SPLUNK_HOME/etc/apps/app1/local

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q
Within props.conf, which stanzas are valid for data modification? (Select
all that apply.)
A. Host
B. Server
C. Source
D. Sourcetype
A

C. Source

D. Sourcetype

26
Q
What is the correct order of steps in Duo Multifactor Authentication?
A. 1. Request Login
2. Connect to SAML server
3. Duo MFA
4. Create User session
5. Authentication Granted
6. Log into Splunk

B. 1. Request Login

  1. Duo MFA
  2. Authentication Granted
  3. Connect to SAML server
  4. Log into Splunk
  5. Create User session

C. 1. Request Login

  1. Check authentication / group mapping
  2. Authentication Granted
  3. Duo MFA
  4. Create User session
  5. Log into Splunk

D. 1. Request Login

  1. Duo MFA
  2. Check authentication / group mapping 4. Create User session
  3. Authentication Granted
  4. Log into Splunk
A

C. 1. Request Login

  1. Check authentication / group mapping
  2. Authentication Granted
  3. Duo MFA
  4. Create User session
  5. Log into Splunk
27
Q
Where can scripts for scripted inputs reside on the host file system? (Select
all that apply.)
A. $SPLUNK_HOME/bin/scripts
B. $SPLUNK_HOME/etc/apps/bin
C. $SPLUNK_HOME/etc/system/bin
D. $SPLUNK_HOME/etc/apps//bin
A

A. $SPLUNK_HOME/bin/scripts
C. $SPLUNK_HOME/etc/system/bin
D. $SPLUNK_HOME/etc/apps//bin

28
Q

How does the Monitoring Console
monitor forwarders?
A. By pulling internal logs from forwarders.
B. Byusingtheforwardermonitoringadd-on.
C. Withinternallogsforwardedbyforwarders.
D. With internal logs forwarder by deployment server.

A

A. By pulling internal logs from forwarders

29
Q

What options are available when creating custom roles? (Select
all that apply.)
A. Restrictsearchterms.
B. Whitelistsearchterms.
C. Limit the number of concurrent search jobs.
D. Allow or restrict indexes that can be searched.

A

A. Restrict search terms.

D. Allow or restrict indexes that can be searched.

30
Q

Which of the following are supported options when configuring optional
network inputs?
A. Metadata override,sender filtering options,network input queues(quantum queues)
B. Metadata override,sender filtering options,network input queues(memory/persistent queues)
C. Filename override, sender filtering options, network output queues (memory/persistent queues)
D. Metadata override, receiver filtering options, network input queues (memory/persistent queues)

A

D. Metadata override, receiver filtering options, network input queues (memory/persistent queues)

31
Q
What is the default character encoding used by Splunk during
the input phase?
A. UTF-8
B. UTF-16 
C. EBCDIC 
D. ISO 8859
A

A. UTF-8

32
Q

Which of the following enables compression for universal forwarders in outputs.conf?
A. [udpout:mysplunk_indexer11] compression=true
B. [tcpout] defaultGroup=my_indexers compressed=true
C. /opt/splunkforwarder/bin/splunk enable compression
D. [tcpount:my_indexers] server=mysplunk_indexer1:9997, mysplunk_indexer2:9997
decompression=false

A

B. [tcpout] defaultGroup=my_indexers compressed=true

33
Q
User role inheritance allows what to be inherited from the parent role? (Select
all that apply.)
A. Parents
B. Capabilities 
C. Index access 
D. Search history
A

B. Capabilities

34
Q

Which of the following statements apply to directory inputs? (Select
all that apply.)
A. All discovered text files are consumed.
B. Compressed files are ignored by default.
C. Splunk recursively traverses through the directory structure.
D. When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

A

C. Splunk recursively traverses through the directory structure.

35
Q

How would you configure your distsearch.conf to allow you to run the
search below?
sourcetype=access_combined status=200 action=purchase splunk_server_group=HOUSTON
A. [distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = false
servers = houston1:8089, houston2:8089
B. [distributedSearch] servers =nyc1, nyc2, houston1, houston2 [distributedSearch:NYC] default = false servers = nyc1, nyc2 [distributedSearch:HOUSTON]
default = false servers = houston1, houston2
C. [distributedSearch] servers =nyc1:8089, nyc2:8089, houston1:8089, houston2:8089
[distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = false
servers = houston1:8089, houston2:8089
D. [distributedSearch] servers =nyc1:8089; nyc2:8089; houston1:8089; houston2:8089
[distributedSearch:NYC]
default = false servers = nyc1:8089; nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089; houston2:8089

A

D. [distributedSearch] servers =nyc1:8089; nyc2:8089; houston1:8089; houston2:8089
[distributedSearch:NYC]
default = false servers = nyc1:8089; nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089; houston2:8089

36
Q

Which of the following is a valid distributed
search group?
A. [distributedSearch:Paris] default = false servers = server1, server2
B. [searchGroup:Paris] default = false servers = server1:8089, server2:8089
C. [searchGroup:Paris] default = false servers = server1:9997, server2:9997
D. [distributedSearch:Paris] default = false servers = server1:8089; server2:8089

A

D. [distributedSearch:Paris] default = false servers = server1:8089; server2:8089

37
Q

Local user accounts created in Splunk store
passwords in which file?
A. $SPLUNK_HOME/etc/passwd
B. $SPLUNK_HOME/etc/authentication
C. $SPLUNK_HOME/etc/users/passwd.conf
D. $SPLUNK_HOME/etc/users/authentication.conf

A

A. $SPLUNK_HOME/etc/passwd

38
Q
For single line event sourcetypes, it is most efficient to set SHOULD_LINEMERGE to what value?
A. True
B. False
C. 
D. Newline Character
A

B. False

39
Q
Which Splunk component does a search head primarily
communicate with?
A. Indexer
B. Forwarder
C. Clustermaster
D. Deployment server
A

A. Indexer

40
Q
Which layers are involved in Splunk configuration file layering? (Select
all that apply.)
A. Appcontext
B. User context
C. Global context
D. Forwarder context
A

A. Appcontext

C. Global context

41
Q
Which of the following are methods for adding inputs in Splunk? (Select
all that apply.)
A. CLI
B. SplunkWeb
C. Editing inpits.conf 
D. Editing monitor.conf
A

A. CLI

B. SplunkWeb

42
Q
Which of the following authentication types requires
scripting in Splunk?
A. ADFS 
B. LDAP 
C. SAML 
D. RADIUS
A

D. RADIUS

43
Q

Which option accurately describes the purpose of the HTTP Event
Collector (HEC)?
A. Atoken-basedHTTPinputthatissecureandscalableandthatrequirestheuseofforwarders.
B. Atoken-basedHTTPinputthatissecureandscalableandthatdoesnotrequiretheuseofforwarders.
C. An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.
D. A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders

A

B. Atoken-basedHTTPinputthatissecureandscalableandthatdoesnotrequiretheuseofforwarders

44
Q

What is the difference between the two wildcards … and * for the monitor stanza in
inputs.conf?
A. …isnotsupportedinmonitorstanzas.
B. There is no difference,they are interchangeable and match anything beyond directory boundaries.
C. * matches anything in that specific directory path segment, whereas … recurses through subdirectories as well.
D. … matches anything in that specific directory path segment, whereas * recurses through subdirectories as well.

A

C. * matches anything in that specific directory path segment, whereas … recurses through subdirectories as well.

45
Q
What type of data is counted against the Enterprise license at a fixed 150
bytes per event?
A. License data
B. Metrics data
C. Internal Splunk data 
D. Internal Windows logs
A

B. Metrics data

46
Q
Which valid bucket types are searchable? (Select
all that apply.)
A. Hot buckets
B. Coldbuckets 
C. Warm buckets 
D. Frozen buckets
A

A. Hot buckets
B. Coldbuckets
C. Warm buckets

47
Q

How do you remove missing forwarders from the
Monitoring Console?
A. ByrestartingSplunk.
B. Byrescanningactiveforwarders.
C. By reloading the deployment server.
D. By rebuilding the forwarder asset table.

A

D. By rebuilding the forwarder asset table.

48
Q
Which Splunk indexer operating system platform is supported when sending logs from a Windows
universal forwarder?
A. AnyOSplatform.
B. Linux platform only.
C. Windows platform only. 
D. None of the above.
A

C. Windows platform only.

49
Q
What are the required stanza attributes when configuring the transforms.conf to manipulate or
remove events?
A. REGEX,DEST,FORMAT
B. REGEX,SRC_KEY,FORMAT
C. REGEX, DEST_KEY, FORMAT
D. REGEX, DEST_KEY, FORMATTING
A

C. REGEX, DEST_KEY, FORMAT

50
Q
Which of the following indexes come pre-configured with Splunk Enterprise? (Select all that apply.) 
A. _licence
B. _internal
C. _external
D. _thefishbucket
A

B. _internal

51
Q
How often does Splunk recheck the
LDAP server?
A. Every5minutes.
B. Eachtimeauserlogsin.
C. Each time Splunk is restarted.
D. Varies based on LDAP_refresh setting.
A

D. Varies based on LDAP_refresh setting.

52
Q
Where are
license files stored?
A. $SPLUNK_HOME/etc/secure
B. $SPLUNK_HOME/etc/system
C. $SPLUNK_HOME/etc/licenses
D. $SPLUNK_HOME/etc/apps/licenses
A

C. $SPLUNK_HOME/etc/licenses

53
Q

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?
A. To ensure that hot buckets are still open for writers and have not been forced to roll to a cold state.
B. To ensure that configuration files have not been tampered with for auditing and/or legal purposes. C. To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
D. To ensure that data has not been tampered with for auditing and/or legal purposes.

A

D. To ensure that data has not been tampered with for auditing and/or legal purposes.

54
Q
Which Splunk component performs indexing and responds to search requests from the
search head?
A. Forwarder
B. Searchpeer
C. License master
D. Search head cluster
A

B. Searchpeer

55
Q
When deploying apps, which attribute in the forwarder management interface determines the apps that
clients install?
A. AppClass
B. ClientClass
C. ServerClass
D. Forwarder Class
A

C. ServerClass

56
Q

In this source type definition the MAX_TIMESTAMP_LOOKAHEAD ismissing.Whichvalue
would fit best?
[sshd_syslog]
TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z
LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} SHOUD_LINEMERGE = false
TRUNCATE = 0
Event example:
2018-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366

A. MAX_TIMESTAMP_LOOKAHEAD = 5
B. MAX_TIMESTAMP_LOOKAHEAD = 10
C. MAX_TIMESTAMP_LOOKAHEAD = 20
D. MAX_TIMESTAMP_LOOKAHEAD = 30

A

B. MAX_TIMESTAMP_LOOKAHEAD = 10

57
Q
Which of the following are required when defining an index in indexes.conf? (Select
all that apply.)
A. coldPath 
B. homePath 
C. frozenPath 
D. thawedPath
A

D. thawedPath

58
Q

Which of the following apply to how distributed search works? (Select
all that apply.)
A. The search head dispatches searches to the peers.
B. The search peers pull the data from the forwarders.
C. Peers run searches in parallel and return their portion of results.
D. The search head consolidates the individual results and prepares reports.

A

A. The search head dispatches searches to the peers.

59
Q
What hardware attribute would you need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?
A. Disk
B. CPUs
C. Memory
D. Network interface cards
A

B. CPUs

60
Q

With authentication methods are natively supported within Splunk Enterprise? (Select all that apply.)

A. LDAP
B. SAML
C. RADIUS
D. Duo Multifactor Authentication

A

A. LDAP

D. Duo Multifactor Authentication