How does Monitoring Console (MC) initially identify the server role(s) of a new Splunk Instance?
- A . The MC uses a REST endpoint to query the server.
- B . Roles are manually assigned within the MC.
- C . Roles are read from distsearch.conf.
- D . The MC assigns all possible roles by default.
A customer has asked for a five-node search head cluster (SHC), but does not have the storage budget to use a replication factor greater than 2. They would like to understand what might happen in terms of the users’ ability to view historic scheduled search results if they log onto a search head which doesn’t contain one of the 2 copies of a given search artifact.
Which of the following statements best describes what would happen in this scenario?
- A . The search head that the user has logged onto will proxy the required artifact over to itself from a search head that currently holds a copy. A copy will also be replicated from that search head permanently, so it is available for future use.
- B . Because the dispatch folder containing the search results is not present on the search head, the user will not be able to view the search results.
- C . The user will not be able to see the results of the search until one of the search heads is restarted, forcing synchronization of all dispatched artifacts across all search heads.
- D . The user will not be able to see the results of the search until the Splunk administrator issues the apply shcluster-bundlecommand on the search head deployer, forcing synchronization of all dispatched artifacts across all search heads.
Monitoring Console (MC) health check configuration items are stored in which configuration file?
- A . healthcheck.conf
- B . alert_actions.conf
- C . distsearch.conf
- D . checklist.conf
D
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.1.0/DMC/Customizehealthcheck
What should be considered when running the following CLI commands with a goal of accelerating an index cluster migration to new hardware?
- A . Data ingestion rate
- B . Network latency and storage IOPS
- C . Distance and location
- D . SSL data encryption
Which statement is true about subsearches?
- A . Subsearches are faster than other types of searches.
- B . Subsearches work best for joining two large result sets.
- C . Subsearches run at the same time as their outer search.
- D . Subsearches work best for small result sets.
A
Explanation:
Reference: https://community.splunk.com/t5/Archive/Looking-for-way-to-explain-why-subsearches-are-soslow/m-p/479133
A customer has been using Splunk for one year, utilizing a single/all-in-one instance. This single Splunk server is now struggling to cope with the daily ingest rate. Also, Splunk has become a vital system in day-to-day operations making high availability a consideration for the Splunk service. The customer is unsure how to design the new environment topology in order to provide this.
Which resource would help the customer gather the requirements for their new architecture?
- A . Direct the customer to the docs.splunk.com and tell them that all the information to help them select the right design is documented there.
- B . Ask the customer to engage with the sales team immediately as they probably need a larger license.
- C . Refer the customer to answers.splunk.com as someone else has probably already designed a system that meets their requirements.
- D . Refer the customer to the Splunk Validated Architectures document in order to guide them through which approved architectures could meet their requirements.
D
Explanation:
Reference: https://www.splunk.com/pdfs/technical-briefs/splunk-validated-architectures.pdf
The customer has an indexer cluster supporting a wide variety of search needs, including scheduled search, data model acceleration, and summary indexing.
Here is an excerpt from the cluster mater’s server.conf:
Which strategy represents the minimum and least disruptive change necessary to protect the searchability of the indexer cluster in case of indexer failure?
- A . Enable maintenance mode on the CM to prevent excessive fix-up and bring the failed indexer back online.
- B . Leave replication_factor=2, increase search_factor=2and enable summary_replication.
- C . Convert the cluster to multi-site and modify the server.confto be site_replication_factor=2, site_search_factor=2.
- D . Increase replication_factor=3, search_factor=2to protect the data, and allow there to always be a searchable copy.
What is the primary driver behind implementing indexer clustering in a customer’s environment?
- A . To improve resiliency as the search load increases.
- B . To reduce indexing latency.
- C . To scale out a Splunk environment to offer higher performance capability.
- D . To provide higher availability for buckets of data.
D
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.1.0/Indexer/Howclusteredsearchworks
In a single indexer cluster, where should the Monitoring Console (MC) be installed?
- A . Deployer sharing with master cluster.
- B . License master that has 50 clients or more.
- C . Cluster master node
- D . Production Search Head
C
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.1.0/DMC/WheretohostDMC
A customer has downloaded the Splunk App for AWS from Splunkbase and installed it in a search head cluster following the instructions using the deployer. A power user modifies a dashboard in the app on one of the search head cluster members. The app containing an updated dashboard is upgraded to the latest version by following the instructions via the deployer.
What happens?
- A . The updated dashboard will not be deployed globally to all users, due to the conflict with the power user’s modified version of the dashboard.
- B . Applying the search head cluster bundle will fail due to the conflict.
- C . The updated dashboard will be available to the power user.
- D . The updated dashboard will not be available to the power user; they will see their modified version.
A customer’s deployment server is overwhelmed with forwarder connections after adding an additional 1000 clients. The default phone home interval is set to 60 seconds. To reduce the number of connection failures to the DS what is recommended?
- A . Create a tiered deployment server topology.
- B . Reduce the phone home interval to 6 seconds.
- C . Leave the phone home interval at 60 seconds.
- D . Increase the phone home interval to 600 seconds.
Which of the following server.conf stanzas indicates the Indexer Discovery feature has not been fully configured (restart pending) on the Master Node?
A)
B)
C)
D)
- A . Option A
- B . Option B
- C . Option C
- D . Option D
C
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.1.0/Indexer/indexerdiscovery
What is the Splunk PS recommendation when using the deployment server and building deployment apps?
- A . Carefully design smaller apps with specific configuration that can be reused.
- B . Only deploy Splunk PS base configurations via the deployment server.
- C . Use $SPLUNK_HOME/etc/system/localconfigurations on forwarders and only deploy TAs via the deployment server.
- D . Carefully design bigger apps containing multiple configs.
B
Explanation:
Reference: https://www.splunk.com/en_us/blog/platform/adding-a-deployment-server-forwardermanagement-to-a-new-or-existing-splunk-cloud-or-splunk-enterprise-deployment.html
Which of the following processor occur in the indexing pipeline?
- A . tcp out, syslog out
- B . Regex replacement, annotator
- C . Aggregator
- D . UTF-8, linebreaker, header
D
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.1.0/Indexer/Howindexingworks#Event_processing_and_the_data_pipeline
Which configuration item should be set to false to significantly improve data ingestion performance?
- A . AUTO_KV_JSON
- B . BREAK_ONLY_BEFORE_DATE
- C . SHOULD_LINEMERGE
- D . ANNOTATE_PUNCT
C
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.6/Data/Configureeventlinebreaking
A customer has a new set of hardware to replace their aging indexers.
What method would reduce the amount of bucket replication operations during the migration process?
- A . Disable the indexing ports on the old indexers.
- B . Disable replication ports on the old indexers.
- C . Put the old indexers into manual detention.
- D . Put the old indexers into automatic detention.
When a bucket rolls from cold to frozen on a clustered indexer, which of the following scenarios occurs?
- A . All replicated copies will be rolled to frozen; original copies will remain.
- B . Replicated copies of the bucket will remain on all other indexers and the Cluster Master (CM) assigns a new primary bucket.
- C . The bucket rolls to frozen on all clustered indexers simultaneously.
- D . Nothing. Replicated copies of the bucket will remain on all other indexers until a local retention rule causes it to roll.
B
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.1.0/Indexer/Bucketsandclusters
A site from a multi-site indexer cluster needs to be decommissioned.
Which of the following actions must be taken?
- A . Nothing. Decommissioning a site is not possible.
- B . Create an alias for where the new data should be sent.
- C . Remove the site from the list of available sites.
- D . Remove the site from the list of available sites and create an alias for where the new data should be sent.
A customer wants to implement LDAP because managing local Splunk users is becoming too much of an overhead.
What configuration details are needed from the customer to implement LDAP authentication?
- A . API: Python script with PAM/RADIUS details.
- B . LDAP server: port, bind user credentials, path/to/groups, path/to/user.
- C . LDAP server: port, bind user credentials, base DN for groups, base DN for users.
- D . LDAP REST details, base DN for groups, base DN for users.
C
Explanation:
Reference: https://www.learnsplunk.com/splunk-ldap-authentication-configuration.html
A customer has a search cluster (SHC) of six members split evenly between two data centers (DC). The customer is concerned with network connectivity between the two DCs due to frequent outages.
Which of the following is true as it relates to SHC resiliency when a network outage occurs between the two DCs?
- A . The SHC will function as expected as the SHC deployer will become the new captain until the network communication is restored.
- B . The SHC will stop all scheduled search activity within the SHC.
- C . The SHC will function as expected as the minimum required number of nodes for a SHC is 3.
- D . The SHC will function as expected as the SHC captain will fall back to previous active captain in the remaining site.
A [script://]input sends data to a Splunk forwarder using which method?
- A . UDP stream
- B . TCP stream
- C . Temporary file
- D . STDOUT/STDERR
C
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf
A customer wants to understand how Splunk bucket types (hot, warm, cold) impact search performance within their environment. Their indexers have a single storage device for all data.
What is the proper message to communicate to the customer?
- A . The bucket types (hot, warm, or cold) have the same search performance characteristics within the customer’s environment.
- B . While hot, warm, and cold buckets have the same search performance characteristics within the customers environment, due to their optimized structure, the thawed buckets are the most performant.
- C . Searching hot and warm buckets result in best performance because by default the cold buckets are miniaturized by removing TSIDX files to save on storage cost.
- D . Because the cold buckets are written to a cheaper/slower storage volume, they will be slower to search compared to hot and warm buckets which are written to Solid State Disk (SSD).
An index receives approximately 50GB of data per day per indexer at an even and consistent rate. The customer would like to keep this data searchable for a minimum of 30 days. In addition, they have hourly scheduled searches that process a week’s worth of data and are quite sensitive to search performance.
Given ideal conditions (no restarts, nor drops/bursts in data volume), and following PS best practices, which of the following sets of indexes.conf settings can be leveraged to meet the requirements?
- A . – frozenTimePeriodInSecs, maxDataSize, maxVolumeDataSizeMB, maxHotBuckets
- B . – maxDataSize, maxTotalDataSizeMB, maxHotBuckets, maxGlobalDataSizeMB
- C . – maxDataSize, frozenTimePeriodInSecs, maxVolumeDataSizeMB
- D . – frozenTimePeriodInSecs, maxWarmDBCount, homePath.maxDataSizeMB,maxHotSpanSecs
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?
- A . Indexer
- B . Universal forwarder
- C . Search head
- D . Heavy forwarder
D
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html
Consider the scenario where the /var/log directory contains the files secure, messages, cron,audit.
A customer has created the following inputs.confstanzas in the same Splunk app in order to attempt to monitor the files secure and messages:
Which file(s) will actually be actively monitored?
- A . /var/log/secure
- B . /var/log/messages
- C . /var/log/messages, /var/log/cron, /var/log/audit, /var/log/secure
- D . /var/log/secure, /var/log/messages
A customer has written the following search:
How can the search be rewritten to maximize efficiency?
A)
B)
C)
D)
- A . Option A
- B . Option B
- C . Option C
- D . Option D
How could a role in which all users must specify an index=clausein all searches be configured?
- A . Set the authorize.confsetting: srchIndexesDefaultto no value.
- B . Set the authorize.confsetting: srchFilterto no value.
- C . Set the authorize.confsetting: srchIndexesAllowedto no value.
- D . Set the authorize.confsetting: srchJobsQuotato no value.
In which of the following scenarios should base configurations be used to provide consistent, repeatable, and supportable configurations?
- A . For non-production environments to keep their configurations in sync.
- B . To ensure every customer has exactly the same base settings.
- C . To provide settings that do not need to be customized to meet customer requirements.
- D . To provide settings that can be customized to meet customer requirements.
C
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles
Data can be onboarded using apps, Splunk Web, or the CLI.
Which is the PS preferred method?
- A . Create UDP input port 9997 on a UF.
- B . Use the add data wizard in Splunk Web.
- C . Use the inputs.conffile.
- D . Use a scripted input to monitor a log file.
B
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Howdoyouwanttoadddata