Splunk Enterprise Certified Admin SPLK-1003 Exam Practice Test

Page: 1 / 14
Total 196 questions

Want more questions? Get Premium Access.
()

Question 1

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

A_audit

B_checkpoint

C_introspection

D_thefishbucket

Answer : D

--reset Reset the fishbucket for the given key or file in the btree. Resetting the checkpoint for an active monitor input reindexes data, resulting in increased license use. https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/CommandlinetoolsforusewithSupport

Question 2

When running a real-time search, search results are pulled from which Splunk component?

AHeavy forwarders and search peers

BHeavy forwarders

CSearch heads

DSearch peers

Answer : D

Using the Splunk reference URL https://docs.splunk.com/Splexicon:Searchpeer

'search peer is a splunk platform instance that responds to search requests from a search head. The term 'search peer' is usally synonymous with the indexer role in a distributed search topology. However, other instance types also have access to indexed data, particularly internal diagnostic data, and thus function as search peers when they respond to search requests for that data.'

Question 3

Which of the following monitor inputs stanza headers would match all of the following files?

/var/log/www1/secure.log

/var/log/www/secure.l

/var/log/www/logs/secure.logs

/var/log/www2/secure.log

A[monitor:///var/log/.../secure.*

B[monitor:///var/log/www1/secure.*]

C[monitor:///var/log/www1/secure.log]

D[monitor:///var/log/www*/secure.*]

Answer : C

Question 4

Which of the methods listed below supports muti-factor authentication?

ALightweight Directory Access Protocol (LDAP)

BSecurity Assertion Markup Language (SAML)

CSingle Sign-on (SSO)

DOpenlD

Answer : B

SAML is an open standard for exchanging authentication and authorization data between parties, especially between an identity provider and a service provider1.SAML supports multi-factor authentication by allowing the identity provider to require the user to present two or more factors of evidence to prove their identity2. For example, the user may need to enter a password and a one-time code sent to their phone, or scan their fingerprint and face.

Question 5

Local user accounts created in Splunk store passwords in which file?

A$ SFLUNK_HOME/etc/passwd

B$ SFLUNK_HOME/etc/authentication

C$ S?LUNK_HOME/etc/users/passwd.conf

D$ SPLUNK HOME/etc/users/authentication.conf

Answer : A

Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf

'To set the default username and password, place user-seed.conf in $SPLUNK_HOME/etc/system/local. You must restart Splunk to enable configurations. If the $SPLUNK_HOME/etc/passwd file is present, the settings in this file (user-seed.conf) are not used.'

Question 6

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Indexers, search head, deployment server, license master, universal forwarder. This is the combination of Splunk component instances that are needed to handle the volume of data from collecting log files from 50 Linux servers and 200 Windows servers, following the best practices. The roles and functions of these components are:

Indexers: These are the Splunk instances that index the data and make it searchable. They also perform some data processing, such as timestamp extraction, line breaking, and field extraction. Multiple indexers can be clustered together to provide high availability, data replication, and load balancing.

Search head: This is the Splunk instance that coordinates the search across the indexers and merges the results from them. It also provides the user interface for searching, reporting, and dashboarding. A search head can also be clustered with other search heads to provide high availability, scalability, and load balancing.

Deployment server: This is the Splunk instance that manages the configuration and app deployment for the universal forwarders. It allows the administrator to centrally control the inputs.conf, outputs.conf, and other configuration files for the forwarders, as well as distribute apps and updates to them.

License master: This is the Splunk instance that manages the licensing for the entire Splunk deployment. It tracks the license usage of all the Splunk instances and enforces the license limits and violations. It also allows the administrator to add, remove, or change licenses.

Universal forwarder: These are the lightweight Splunk instances that collect data from various sources and forward it to the indexers or other forwarders. They do not index or parse the data, but only perform minimal processing, such as compression and encryption. They are installed on the Linux and Windows servers that generate the log files.

Question 7

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations

found in props.conf to be validated all through the UI?

AApps

BSearch

CData preview

DForwarder inputs

Answer : C

http://www.splunk.com/view/SP-CAAAGPR

Question 8

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

ALDAP

BSAML

CRADIUS

DDuo Multifactor Authentication

Answer : A, B, C

Splunk authentication: Provides Admin, Power and User by default, and you can define your own roles using a list of capabilities. If you have an Enterprise license, Splunk authentication is enabled by default. See Set up user authentication with Splunk's built-in system for more information. LDAP: Splunk Enterprise supports authentication with its internal authentication services or your existing LDAP server. See Set up user authentication with LDAP for more information. Scripted authentication API: Use scripted authentication to integrate Splunk authentication with an external authentication system, such as RADIUS or PAM. See Set up user authentication with external systems for more information. Note: Authentication, including native authentication, LDAP, and scripted authentication, is not available in Splunk Free.

Question 9

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

A_audit

B_checkpoint

C_introspection

D_thefishbucket

Answer : D

Question 10

During search time, which directory of configuration files has the highest precedence?

A$SFLUNK_KOME/etc/system/local

B$SPLUNK_KCME/etc/system/default

C$SPLUNK_HCME/etc/apps/app1/local

D$SPLUNK HCME/etc/users/admin/local

Answer : D

Adding further clarity and quoting same Splunk reference URL from @giubal'

'To keep configuration settings consistent across peer nodes, configuration files are managed from the cluster master, which pushes the files to the slave-app directories on the peer nodes. Files in the slave-app directories have the highest precedence in a cluster peer's configuration. Here is the expanded precedence order for cluster peers:

1.Slave-app local directories -- highest priority

2. System local directory

3. App local directories

4. Slave-app default directories

5. App default directories

6. System default directory --lowest priority

Question 11

A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly to the indexer. Both sets of data require the masking of raw text strings before being written to disk. What does the administrator need to do to

ensure that the masking takes place successfully?

AMake sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

BFor source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

CMake sure that props . conf and transforms . conf are both present on the Universal Forwarder.

DPlace both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Answer : D

The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

According to the Splunk documentation1, to mask sensitive data from raw events, you need to use the SEDCMD attribute in the props.conf file and the REGEX attribute in the transforms.conf file. The SEDCMD attribute applies a sed expression to the raw data before indexing, while the REGEX attribute defines a regular expression to match the data to be masked. You need to place these files on the Splunk instance that parses the data, which is usually the indexer or the heavy forwarder2. The universal forwarder does not parse the data, so it does not need these files.

For source A, the data is routed through a heavy forwarder, which can parse the data before sending it to the indexer. Therefore, you need to place both props.conf and transforms.conf on the heavy forwarder for source A, so that the masking takes place before indexing.

For source B, the data is routed directly to the indexer, which parses and indexes the data. Therefore, you need to place both props.conf and transforms.conf on the indexer for source B, so that the masking takes place before indexing.

References: 1: Redact data from events - Splunk Documentation 2: Where do I configure my Splunk settings? - Splunk Documentation

Question 12

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations

found in props.conf to be validated all through the UI?

AApps

BSearch

CData preview

DForwarder inputs

Answer : C

http://www.splunk.com/view/SP-CAAAGPR

Question 13

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 14

When indexing a data source, which fields are considered metadata?

Asource, host, time

Btime, sourcetype, source

Chost, raw, sourcetype

Dsourcetype, source, host

Answer : D

Question 15

Which of the following are required when defining an index in indexes. conf? (select all that apply)

AcoldPath

BhomePath

CfrozenPath

DthawedPath

Answer : A, B, D

homePath = $SPLUNK_DB/hatchdb/db

coldPath = $SPLUNK_DB/hatchdb/colddb

thawedPath = $SPLUNK_DB/hatchdb/thaweddb

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

Question 16

Which of the methods listed below supports muti-factor authentication?

ALightweight Directory Access Protocol (LDAP)

BSecurity Assertion Markup Language (SAML)

CSingle Sign-on (SSO)

DOpenlD

Answer : B

Question 17

Which setting allows the configuration of Splunk to allow events to span over more than one line?

ASHOULD_LINEMERGE = true

BBREAK_ONLY_BEFORE_DATE = true

CBREAK_ONLY_BEFORE = <REGEX pattern>

DSHOULD_LINEMERGE = false

Answer : A

The setting that allows the configuration of Splunk to allow events to span over more than one line is SHOULD_LINEMERGE. This setting determines whether consecutive lines from a single source should be concatenated into a single event. If SHOULD_LINEMERGE is set to true, Splunk will attempt to merge multiple lines into one event based on certain criteria, such as timestamps or regular expressions. Therefore, option A is the correct answer. References:Splunk Enterprise Certified Admin | Splunk, [Configure event line merging - Splunk Documentation]

Question 18

Local user accounts created in Splunk store passwords in which file?

A$ SFLUNK_HOME/etc/passwd

B$ SFLUNK_HOME/etc/authentication

C$ S?LUNK_HOME/etc/users/passwd.conf

D$ SPLUNK HOME/etc/users/authentication.conf

Answer : A

Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf

Question 19

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

A network input is a type of input that monitors data from TCP or UDP ports. To configure a network input, you need to specify the port number, the connection host, the source, and the sourcetype in the inputs.conf file. You can also set other optional settings, such as index, queue, and host_regex1.

The inputs.conf file is a configuration file that contains the settings for different types of inputs, such as files, directories, scripts, network ports, and Windows event logs. The inputs.conf file can be located in various directories, depending on the scope and priority of the settings. The most common locations are:

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

Therefore, the best practice is to create or edit the inputs.conf file in the $SPLUNK_HOME/etc/apps/$appName/local directory, where $appName is the name of the app that you want to configure the network input for. This way, you can avoid modifying the default files and ensure that your settings are applied to the specific app.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

C . There is no udp.conf file in Splunk. The network input settings should be in the inputs.conf file, not in a separate file. The system directory is not the recommended location for custom settings, as it affects the entire Splunk instance.

D . The var/lib/splunk directory is where Splunk stores the indexed data, not the input settings. The homePath setting is used to specify the location of the index data, not the input data. The inputName is not a valid variable for inputs.conf.

Question 20

Load balancing on a Universal Forwarder is not scaling correctly. The forwarder's outputs. and the tcpout stanza are setup correctly. What else could be the cause of this scaling issue? (select all that apply)

AThe receiving port is not properly setup to listen on the right port.

BThe inputs . conf'S _SYSZOG_ROVTING is not setup to use the right group names.

CThe DNS record used is not setup with a valid list of IP addresses.

DThe indexAndForward value is not set properly.

Answer : A, C

The possible causes of the load balancing issue on the Universal Forwarder are A and C. The receiving port and the DNS record are both factors that affect the ability of the Universal Forwarder to distribute data across multiple receivers. If the receiving port is not properly set up to listen on the right port, or if the DNS record used is not set up with a valid list of IP addresses, the Universal Forwarder might fail to connect to some or all of the receivers, resulting in poor load balancing.

Question 21

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Per the provided Splunk reference URL by @hwangho, scroll to section Forward search head data, subsection titled, 2. Configure the search head as a forwarder. 'Create an outputs.conf file on the search head that configures the search head for load-balanced forwarding across the set of search peers (indexers).'

Question 22

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 23

Which data pipeline phase is the last opportunity for defining event boundaries?

AInput phase

BIndexing phase

CParsing phase

DSearch phase

Answer : C

Reference https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatapipeline

The parsing phase is the process of extracting fields and values from raw data. The parsing phase respects LINE_BREAKER, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings in props.conf. These settings determine how Splunk breaks the data into events based on certain criteria, such as timestamps or regular expressions. The event boundaries are defined by the props.conf file, which can be modified by the administrator. Therefore, the parsing phase is the last opportunity for defining event boundaries.

Question 24

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

In a clustered environment, the precedence of configuration files changes slightly from that of a standalone deployment. The app local directories move to second in the priority list, after the peer-apps local directory. This means that any configuration files in the app local directories on the individual peers are overridden by configuration files of the same name and type in the peer-apps local directory on the master node.

Question 25

In which phase do indexed extractions in props.conf occur?

AInputs phase

BParsing phase

CIndexing phase

DSearching phase

Answer : B

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

Configurationparametersandthedatapipeline

Question 26

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 27

Which valid bucket types are searchable? (select all that apply)

AHot buckets

BCold buckets

CWarm buckets

DFrozen buckets

Answer : A, B, C

Hot/warm/cold/thawed bucket types are searchable. Frozen isn't searchable because its either deleted at that state or archived.

Question 28

Which of the following applies only to Splunk index data integrity check?

ALookup table

BSummary Index

CRaw data in the index

DData model acceleration

Answer : C

Question 29

When running a real-time search, search results are pulled from which Splunk component?

AHeavy forwarders and search peers

BHeavy forwarders

CSearch heads

DSearch peers

Answer : D

Using the Splunk reference URL https://docs.splunk.com/Splexicon:Searchpeer

Question 30

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

ADisk

BCPUs

CMemory

DNetwork interface cards

Answer : B

https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCarchitecture

Scroll down to section titled, How the cluster handles concurrent search quotas, 'Overall search quota. This quota determines the maximum number of historical searches (combined scheduled and ad hoc) that the cluster can run concurrently. This quota is configured with max_Searches_per_cpu and related settings in limits.conf.'

Question 31

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 32

Where should apps be located on the deployment server that the clients pull from?

A$SFLUNK_KOME/etc/apps

B$SPLUNK_HCME/etc/sear:ch

C$SPLUNK_HCME/etc/master-apps

D$SPLUNK HCME/etc/deployment-apps

Answer : D

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

Question 33

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

AAny OS platform

BLinux platform only

CWindows platform only.

DNone of the above.

Answer : A

'The forwarder/indexer relationship can be considered platform agnostic (within the sphere of supported platforms) because they exchange their data handshake (and the data, if you wish) over TCP.

Question 34

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Specifies a comma-separated list of tcpout group names. Use this setting to selectively forward your data to specific indexers by specifying the tcpout groups that the forwarder should use when forwarding the data. Define the tcpout group names in the outputs.conf file in [tcpout:<tcpout_group_name>] stanzas. The groups present in defaultGroup in [tcpout] stanza in the outputs.conf file.

Question 35

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

ATo ensure that hot buckets are still open for writes and have not been forced to roll to a cold state

BTo ensure that configuration files have not been tampered with for auditing and/or legal purposes

CTo ensure that user passwords have not been tampered with for auditing and/or legal purposes.

DTo ensure that data has not been tampered with for auditing and/or legal purposes

Answer : D

Question 36

Which of the following monitor inputs stanza headers would match all of the following files?

/var/log/www1/secure.log

/var/log/www/secure.l

/var/log/www/logs/secure.logs

/var/log/www2/secure.log

A[monitor:///var/log/.../secure.*

B[monitor:///var/log/www1/secure.*]

C[monitor:///var/log/www1/secure.log]

D[monitor:///var/log/www*/secure.*]

Answer : C

Question 37

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 38

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

AMAX_TIMESTAMP_L0CKAHEAD = 5

BMAX_TIMESTAMP_LOOKAHEAD - 10

CMAX_TIMESTAMF_LOOKHEAD = 20

DMAX TIMESTAMP LOOKAHEAD - 30

Answer : D

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

'Specify how far (how many characters) into an event Splunk software should look for a timestamp.' since TIME_PREFIX = ^ and timestamp is from 0-29 position, so D=30 will pick up the WHOLE timestamp correctly.

Question 39

Which Splunk component requires a Forwarder license?

ASearch head

BHeavy forwarder

CHeaviest forwarder

DUniversal forwarder

Answer : B

Question 40

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

In this case, the event does not have a time zone specified in the raw data, nor does it have a TZ attribute set in props.conf. Therefore, the next rule applies, which is to use the time zone that the forwarder provides. A universal forwarder is a lightweight agent that can forward data to a Splunk deployment, and it knows its system time zone and sends that information along with the events to the indexer2. The indexer then converts the event time to UTC and stores it in the _time field1.

The other options are incorrect because:

A . Universal Coordinated Time (UTC) is not the time zone that Splunk adds to the event as part of indexing, but rather the time zone that Splunk uses to store the event time in the _time field. Splunk software converts the event time to UTC based on the time zone that it determines from the rules above1.

B . The timezone of the search head is not relevant for indexing, as the search head is a Splunk component that handles search requests and distributes them to indexers, but it does not process incoming data3. The search head uses the user's timezone setting to determine the time range in UTC that should be searched and to display the timestamp of the results in the user's timezone2.

C . The timezone of the indexer that indexed the event is only used as a last resort, if none of the other rules apply. In this case, the forwarder provides the time zone information, so the indexer does not use its own time zone1.

Question 41

Which is a valid stanza for a network input?

A[udp://172.16.10.1:9997]
connection = dns
sourcetype = dns

B[any://172.16.10.1:10001]
connection_host = ip
sourcetype = web

C[tcp://172.16.10.1:9997]
connection_host = web
sourcetype = web

D[tcp://172.16.10.1:10001]
connection_host = dns
sourcetype = dns

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports

Bypassautomaticsourcetypeassignment

Question 42

How do you remove missing forwarders from the Monitoring Console?

ABy restarting Splunk.

BBy rescanning active forwarders.

CBy reloading the deployment server.

DBy rebuilding the forwarder asset table.

Answer : D

Question 43

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A_license

B_lnternal

C_external

D_thefishbucket

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 44

Which additional component is required for a search head cluster?

ADeployer

BCluster Master

CMonitoring Console

DManagement Console

Answer : A

The deployer. This is a Splunk Enterprise instance that distributes apps and other configurations to the cluster members. It stands outside the cluster and cannot run on the same instance as a cluster member. It can, however, under some circumstances, reside on the same instance as other Splunk Enterprise components, such as a deployment server or an indexer cluster master node.

Question 45

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 46

User role inheritance allows what to be inherited from the parent role? (select all that apply)

AParents

BCapabilities

CIndex access

DSearch history

Answer : B, C

https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

Question 47

Which Splunk component does a search head primarily communicate with?

AIndexer

BForwarder

CCluster master

DDeployment server

Answer : A

Question 48

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

Set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.This is explained in the Splunk documentation1, which states:

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 49

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 50

Which setting allows the configuration of Splunk to allow events to span over more than one line?

ASHOULD_LINEMERGE = true

BBREAK_ONLY_BEFORE_DATE = true

CBREAK_ONLY_BEFORE = <REGEX pattern>

DSHOULD_LINEMERGE = false

Answer : A

Question 51

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 52

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Aindex=main

Bindex=test

Cindex=summary

Dindex=_internal

Answer : D

Question 53

Which of the following authentication types requires scripting in Splunk?

AADFS

BLDAP

CSAML

DRADIUS

Answer : D

https://answers.splunk.com/answers/131127/scripted-authentication.html

Scripted Authentication: An option for Splunk Enterprise authentication. You can use an authentication system that you have in place (such as PAM or RADIUS) by configuring authentication.conf to use a script instead of using LDAP or Splunk Enterprise default authentication.

Question 54

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 55

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

AIndexer

BDeployer

CForwarder

DDeployment server

Answer : D

The deployer is a Splunk Enterprise instance that you use to distribute apps and certain other configuration updates to search head cluster members. The set of updates that the deployer distributes is called the configuration bundle. https://docs.splunk.com/Documentation/Splunk/8.1.3/DistSearch/PropagateSHCconfigurationchanges#:~:text=The%20deployer%20is%20a%20Splunk,is%20called%20the%20configuration%20bundle.

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations

First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 56

Which file will be matched for the following monitor stanza in inputs. conf?

[monitor: ///var/log/*/bar/*. txt]

A/var/log/host_460352847/temp/bar/file/csv/foo.txt

B/var/log/host_460352847/bar/foo.txt

C/var/log/host_460352847/bar/file/foo.txt

D/var/ log/ host_460352847/temp/bar/file/foo.txt

Answer : C

The correct answer is C. /var/log/host_460352847/bar/file/foo.txt.

The monitor stanza in inputs.conf is used to configure Splunk to monitor files and directories for new data. The monitor stanza has the following syntax1:

[monitor://<input path>]

The input path can be a file or a directory, and it can include wildcards (*) and regular expressions. The wildcards match any number of characters, including none, while the regular expressions match patterns of characters. The input path is case-sensitive and must be enclosed in double quotes if it contains spaces1.

In this case, the input path is /var/log//bar/.txt, which means Splunk will monitor any file with the .txt extension that is located in a subdirectory named bar under the /var/log directory. The subdirectory bar can be at any level under the /var/log directory, and the * wildcard will match any characters before or after the bar and .txt parts1.

Therefore, the file /var/log/host_460352847/bar/file/foo.txt will be matched by the monitor stanza, as it meets the criteria. The other files will not be matched, because:

A . /var/log/host_460352847/temp/bar/file/csv/foo.txt has a .csv extension, not a .txt extension.

B . /var/log/host_460352847/bar/foo.txt is not located in a subdirectory under the bar directory, but directly in the bar directory.

D . /var/log/host_460352847/temp/bar/file/foo.txt is located in a subdirectory named file under the bar directory, not directly in the bar directory.

Question 57

Which of the following is valid distribute search group?

Aoption A

BOption B

COption C

DOption D

Answer : D

Question 58

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

'When ingesting event data, the measured data volume is based on the new raw data that is placed into the indexing pipeline. Because the data is measured at the indexing pipeline, data that is filetered and dropped prior to indexing does not count against the license volume qota.'

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 59

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 60

Which of the following are reasons to create separate indexes? (Choose all that apply.)

ADifferent retention times.

BIncrease number of users.

CRestrict user permissions.

DFile organization.

Answer : A, C

Different retention times: You can set different retention policies for different indexes, depending on how long you want to keep the data. For example, you can have an index for security data that has a longer retention time than an index for performance data that has a shorter retention time.

Restrict user permissions: You can set different access permissions for different indexes, depending on who needs to see the data. For example, you can have an index for sensitive data that is only accessible by certain users or roles, and an index for public data that is accessible by everyone.

Question 61

Event processing occurs at which phase of the data pipeline?

ASearch

BIndexing

CParsing

DInput

Answer : C

According to the Splunk documentation1, event processing occurs at the parsing phase of the data pipeline.The parsing phase is where Splunk software processes incoming data into individual events, extracts timestamp information, assigns source types, and performs other tasks to make the data searchable1.The parsing phase can also apply field extractions, event type matching, and other transformations to the events2.

Question 62

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 63

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

AAny OS platform

BLinux platform only

CWindows platform only.

DNone of the above.

Answer : A

'The forwarder/indexer relationship can be considered platform agnostic (within the sphere of supported platforms) because they exchange their data handshake (and the data, if you wish) over TCP.

Question 64

Which additional component is required for a search head cluster?

ADeployer

BCluster Master

CMonitoring Console

DManagement Console

Answer : A

Question 65

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

A_audit

B_checkpoint

C_introspection

D_thefishbucket

Answer : D

Question 66

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

Question 67

To set up a Network input in Splunk, what needs to be specified'?

AFile path.

BUsername and password

CNetwork protocol and port number.

DNetwork protocol and MAC address.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitornetworkports

Question 68

Which of the following statements describe deployment management? (select all that apply)

ARequires an Enterprise license

BIs responsible for sending apps to forwarders.

COnce used, is the only way to manage forwarders

DCan automatically restart the host OS running the forwarder.

Answer : A, B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%20requirements,do%20not%20index%20external%20data.

'All Splunk Enterprise instances functioning as management components needs access to an Enterprise license. Management components include the deployment server, the indexer cluster manager node, the search head cluster deployer, and the monitoring console.'

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 69

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 70

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

AMap Users

BMap Groups

CMap LDAP Inheritance

DMap LDAP to Active Directory

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb

'You can map either users or groups, but not both. If you are using groups, all users must be members of an appropriate group. Groups inherit capabilities form the highest level role they're a member of.' 'If your LDAP environment does not have group entries, you can treat each user as its own group.'

Question 71

How is a remote monitor input distributed to forwarders?

AAs an app.

BAs a forward.conf file.

CAs a monitor.conf file.

DAs a forwarder monitor profile.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents

Scroll down to the section Titled, How to configure forwarder inputs, and subsection Here are the main ways that you can configure data inputs on a forwarder Install the app or add-on that contains the inputs you wants

Question 72

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 73

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 74

Local user accounts created in Splunk store passwords in which file?

A$ SFLUNK_HOME/etc/passwd

B$ SFLUNK_HOME/etc/authentication

C$ S?LUNK_HOME/etc/users/passwd.conf

D$ SPLUNK HOME/etc/users/authentication.conf

Answer : A

Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf

Question 75

What is the default value of LINE_BREAKER?

A\r\n

B([\r\n]+)

C\r+\n+

D(\r\n+)

Answer : B

Line breaking, which uses theLINE_BREAKERsetting to split the incoming stream of data into separate lines. By default, theLINE_BREAKERvalue is any sequence of newlines and carriage returns. In regular expression format, this is represented as the following string:([\r\n]+). You don't normally need to adjust this setting, but in cases where it's necessary, you must configure it in the props.conf configuration file on the forwarder that sends the data to Splunk Cloud Platform or a Splunk Enterprise indexer. TheLINE_BREAKERsetting expects a value in regular expression format.

Question 76

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin reading local files on its server.

CBegin generating internal Splunk logs.

DSend an email to the operator that the installation process has completed.

Answer : C

Begin generating internal Splunk logs.Immediately after installation, a Universal Forwarder will start generating internal Splunk logs that contain information about its own operation, such as startup and shutdown events, configuration changes, data ingestion, and forwarding activities1.These logs are stored in the$SPLUNK_HOME/var/log/splunkdirectory on the Universal Forwarder machine2.

Question 77

In inputs. conf, which stanza would mean Splunk was only reading one local file?

A[read://opt/log/crashlog/Jan27crash.txt]

B[monitor::/ opt/log/crashlog/Jan27crash.txt]

C[monitor:/// opt/log/]

D[monitor:/// opt/log/ crashlog/Jan27crash.txt]

Answer : B

[monitor::/opt/log/crashlog/Jan27crash.txt].This stanza means that Splunk is monitoring a single local file named Jan27crash.txt in the /opt/log/crashlog/ directory1.The monitor input type is used to monitor files and directories for changes and index any new data that is added2.

Question 78

Which of the following are required when defining an index in indexes. conf? (select all that apply)

AcoldPath

BhomePath

CfrozenPath

DthawedPath

Answer : A, B, D

homePath = $SPLUNK_DB/hatchdb/db

coldPath = $SPLUNK_DB/hatchdb/colddb

thawedPath = $SPLUNK_DB/hatchdb/thaweddb

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

Question 79

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

'To determine the order of directories for evaluating configuration file precendence, Splunk software considers each file's context. Configuration files operate in either a global context or in the context of the current app and user'

Question 80

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 81

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Aadmin

Bpower

Cuser

Dsplunk-system-role

Answer : B

The power role is a default Splunk role that grants users the ability to create saved searches, edit shared objects and alerts, and access advanced search commands. However, the power role does not allow users to create custom roles, which is a privilege reserved for the admin role. Therefore, option B is the correct answer. References:Splunk Enterprise Certified Admin | Splunk, [About configuring role-based user access - Splunk Documentation]

Question 82

What happens when there are conflicting settings within two or more configuration files?

AThe setting is ignored until conflict is resolved.

BThe setting for both values will be used together.

CThe setting with the lowest precedence is used.

DThe setting with the highest precedence is used.

Answer : D

When there are conflicting settings within two or more configuration files, the setting with the highest precedence is used. The precedence of configuration files is determined by a combination of the file type, the directory location, and the alphabetical order of the file names.

Question 83

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 84

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 85

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 86

After how many warnings within a rolling 30-day period will a license violation occur with an enforced

Enterprise license?

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

'Enterprise Trial license. If you get five or more warnings in a rolling 30 days period, you are in violation of your license. Dev/Test license. If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. Developer license. If you generate five or more warnings in a rolling 30-day period, you are in violation of your license. BUT for Free license. If you get three or more warnings in a rolling 30 days period, you are in violation of your license.'

Question 87

Consider a company with a Splunk distributed environment in production. The Compliance Department wants to start using Splunk; however, they want to ensure that no one can see their reports or any other knowledge objects. Which Splunk Component can be added to implement this policy for the new team?

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 88

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Section titled, Configuration file directories, states 'A detailed list of settings for each configuration file is provided in the .spec file names for that configuration file. You can find the latest version of the .spec and .example files in the $SPLUNK_HOME/etc system/README folder of your Splunk Enterprise installation...'

Question 89

The CLI command splunk add forward-server indexer: will create stanza(s) in

which configuration file?

Ainputs.conf

Bindexes.conf

Coutputs.conf

Dservers.conf

Answer : C

The CLI command 'Splunk add forward-server indexer:<receiving-port>' is used to define the indexer and the listening port on forwards. The command creates this kind of entry '[tcpout-server://<ip address>:]' in the outputs.conf file.

https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configureforwardingwithoutputs.conf

Question 90

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 91

A new forwarder has been installed with a manually created deploymentclient.conf.

What is the next step to enable the communication between the forwarder and the deployment server?

ARestart Splunk on the deployment server.

BEnable the deployment client in Splunk Web under Forwarder Management.

CRestart Splunk on the deployment client.

DWait for up to the time set in the phoneHomeIntervalInSecs setting.

Answer : C

The next step to enable the communication between the forwarder and the deployment server after installing a new forwarder with a manually created deploymentclient.conf is to restart Splunk on the deployment client. The deploymentclient.conf file contains the settings for the deployment client, which is a Splunk instance that receives updates from the deployment server. The file must include the targetUri attribute, which specifies the hostname and management port of the deployment server. To apply the changes in the deploymentclient.conf file, Splunk must be restarted on the deployment client. Therefore, option C is the correct answer. References:Splunk Enterprise Certified Admin | Splunk, [Configure deployment clients - Splunk Documentation]

Question 92

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 93

Which additional component is required for a search head cluster?

ADeployer

BCluster Master

CMonitoring Console

DManagement Console

Answer : A

Question 94

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

AA token-based HTTP input that is secure and scalable and that requires the use of forwarders

BA token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

CAn agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

DA token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector

'The HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. HEC uses a token-based authentication model. You can generate a token and then configure a logging library or HTTP client with the token to send data to HEC in a specific format. This process eliminates the need for a Splunk forwarder when you send application events.'

Question 95

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Aindex=main

Bindex=test

Cindex=summary

Dindex=_internal

Answer : D

Question 96

The universal forwarder has which capabilities when sending data? (select all that apply)

ASending alerts

BCompressing data

CObfuscating/hiding data

DIndexer acknowledgement

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%20data.

Question 97

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Aadmin

Bpower

Cuser

Dsplunk-system-role

Answer : B

Question 98

Which of the following is the use case for the deployment server feature of Splunk?

AManaging distributed workloads in a Splunk environment.

BAutomating upgrades of Splunk forwarder installations on endpoints.

COrchestrating the operations and scale of a containerized Splunk deployment.

DUpdating configuration and distributing apps to processing components, primarily forwarders.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 99

Which Splunk component requires a Forwarder license?

ASearch head

BHeavy forwarder

CHeaviest forwarder

DUniversal forwarder

Answer : B

Question 100

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

'The report does not necessarily represent what's loaded in memory. If a conf file change is made that requires a service restart, the btool report shows the change even though that change isn't active.'

Question 101

When would the following command be used?

ATo verify' the integrity of a local index.

BTo verify the integrity of a SmartStore index.

CTo verify the integrity of a SmartStore bucket.

DTo verify the integrity of a local bucket.

Answer : D

To verify the integrity of a local bucket.The command./splunk check-integrity -bucketPath [bucket path] [-verbose]is used to verify the integrity of a local bucket by comparing the hashes stored in the l1Hashes and l2Hash files with the actual data in the bucket1. This command can help detect any tampering or corruption of the data.

Question 102

Which forwarder type can parse data prior to forwarding?

AUniversal forwarder

BHeaviest forwarder

CHyper forwarder

DHeavy forwarder

Answer : D

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Typesofforwarders

'A heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event.'

Question 103

When running a real-time search, search results are pulled from which Splunk component?

AHeavy forwarders and search peers

BHeavy forwarders

CSearch heads

DSearch peers

Answer : D

Using the Splunk reference URL https://docs.splunk.com/Splexicon:Searchpeer

Question 104

Which data pipeline phase is the last opportunity for defining event boundaries?

AInput phase

BIndexing phase

CParsing phase

DSearch phase

Answer : C

Reference https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatapipeline

Question 105

Local user accounts created in Splunk store passwords in which file?

A$ SFLUNK_HOME/etc/passwd

B$ SFLUNK_HOME/etc/authentication

C$ S?LUNK_HOME/etc/users/passwd.conf

D$ SPLUNK HOME/etc/users/authentication.conf

Answer : A

Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf

Question 106

Which of the following are methods for adding inputs in Splunk? (select all that apply)

ACLI

BSplunk Web

CEditing inputs. conf

DEditing monitor. conf

Answer : A, B, C

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Configureyourinputs

Add your data to Splunk Enterprise. With Splunk Enterprise, you can add data using Splunk Web or Splunk Apps. In addition to these methods, you also can use the following methods. -The Splunk Command Line Interface (CLI) -The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, the details are saved in a configuartion file on Splunk Enterprise indexer and heavy forwarder instances.

Question 107

To set up a Network input in Splunk, what needs to be specified'?

AFile path.

BUsername and password

CNetwork protocol and port number.

DNetwork protocol and MAC address.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitornetworkports

Question 108

Which of the following are reasons to create separate indexes? (Choose all that apply.)

ADifferent retention times.

BIncrease number of users.

CRestrict user permissions.

DFile organization.

Answer : A, C

Question 109

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 110

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

Once further conditions are met (for example, the index reaches some maximum number of warm buckets), the indexer begins to roll the warm buckets to cold, based on their age. It always selects the oldest warm bucket to roll to cold. Buckets continue to roll to cold as they age in this manner. Cold buckets reside in a different location from hot and warm buckets. You can configure the location so that cold buckets reside on cheaper storage.

166653

Question 111

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

AApp Class

BClient Class

CServer Class

DForwarder Class

Answer : C

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 112

What is the correct example to redact a plain-text password from raw events?

Ain props.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Bin props.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Cin transforms.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Din transforms.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Answer : B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

According to the Splunk documentation1, to redact sensitive data from raw events, you need to use the SEDCMD attribute in the props.conf file. The SEDCMD attribute applies a sed expression to the raw data before indexing. The sed expression can use the s command to replace a pattern with a substitution string. For example, the following sed expression replaces any occurrence of password= followed by any characters until a comma, whitespace, or slash with ####REACTED####:

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option C is incorrect because it uses the transforms.conf file instead of the props.conf file. The transforms.conf file is used to define transformations that can be applied to fields or events, such as lookups, evaluations, or replacements. However, these transformations are applied after indexing, not before.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.

References: 1: Redact data from events - Splunk Documentation

Question 113

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

AIndexer

BForwarder

CSearch head

DDeployment server

Answer : A

https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html

'Every Splunk instance has a fishbucket index, except the lightest of hand-tuned lightweight forwarders, and if you index a lot of files it can get quite large. As any other index, you can change the retention policy to control the size via indexes.conf'

Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-p/93310

Question 114

Which is a valid stanza for a network input?

A[udp://172.16.10.1:9997]
connection = dns
sourcetype = dns

B[any://172.16.10.1:10001]
connection_host = ip
sourcetype = web

C[tcp://172.16.10.1:9997]
connection_host = web
sourcetype = web

D[tcp://172.16.10.1:10001]
connection_host = dns
sourcetype = dns

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports

Bypassautomaticsourcetypeassignment

Question 115

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

ADuo Administrator

BLDAP Administrator

CSAML Administrator

DTrio Administrator

Answer : A

Question 116

Which of the following are supported options when configuring optional network inputs?

AMetadata override, sender filtering options, network input queues (quantum queues)

BMetadata override, sender filtering options, network input queues (memory/persistent queues)

CFilename override, sender filtering options, network output queues (memory/persistent queues)

DMetadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question 117

Which of the following authentication types requires scripting in Splunk?

AADFS

BLDAP

CSAML

DRADIUS

Answer : D

https://answers.splunk.com/answers/131127/scripted-authentication.html

Question 118

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 119

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 120

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 121

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 122

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

ACLI

BEdit inputs . conf

CEdit forwarder.conf

DForwarder Management

Answer : A, B, D

https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/HowtoforwarddatatoSplunkEnterprise

'You can collect data on the universal forwarder using several methods. Define inputs on the universal forwarder with the CLI. You can use the CLI to define inputs on the universal forwarder. After you define the inputs, the universal forwarder collects data based on those definitions as long as it has access to the data that you want to monitor. Define inputs on the universal forwarder with configuration files. If the input you want to configure does not have a CLI argument for it, you can configure inputs with configuration files. Create an inputs.conf file in the directory, $SPLUNK_HOME/etc/system/local

Question 123

Which of the following types of data count against the license daily quota?

AReplicated data

Bsplunkd logs

CSummary index data

DWindows internal logs

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Distdeploylicenses#Clustered_deployments_and_licensing_issues

Question 124

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

AUniversal forwarder

BParsing forwarder

CHeavy forwarder

DAdvanced forwarder

Answer : C

Question 125

Consider the following stanza in inputs.conf:

What will the value of the source filed be for events generated by this scripts input?

A/opt/splunk/ecc/apps/search/bin/liscer.sh

Bunknown

Cliscer

Dliscer.sh

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Inputsconf

-Scroll down to source = <string>

*Default: the input file path

Question 126

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 127

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 128

Which of the following are supported options when configuring optional network inputs?

AMetadata override, sender filtering options, network input queues (quantum queues)

BMetadata override, sender filtering options, network input queues (memory/persistent queues)

CFilename override, sender filtering options, network output queues (memory/persistent queues)

DMetadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question 129

How can native authentication be disabled in Splunk?

ARemove the $SPLUNK_HOME/etc/passwd file

BCreate an empty $SPLUNK_HOME/etc/passwd file

CSet SPLUNK_AUTHENTICATION=false in splunk-launch.conf

DSet nativeAuthentication=false in authentication.conf

Answer : B

Question 130

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations

found in props.conf to be validated all through the UI?

AApps

BSearch

CData preview

DForwarder inputs

Answer : C

http://www.splunk.com/view/SP-CAAAGPR

Question 131

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 132

To set up a Network input in Splunk, what needs to be specified'?

AFile path.

BUsername and password

CNetwork protocol and port number.

DNetwork protocol and MAC address.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitornetworkports

Question 133

In inputs. conf, which stanza would mean Splunk was only reading one local file?

A[read://opt/log/crashlog/Jan27crash.txt]

B[monitor::/ opt/log/crashlog/Jan27crash.txt]

C[monitor:/// opt/log/]

D[monitor:/// opt/log/ crashlog/Jan27crash.txt]

Answer : B

Question 134

What is the correct example to redact a plain-text password from raw events?

Ain props.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Bin props.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Cin transforms.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Din transforms.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Answer : B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.

References: 1: Redact data from events - Splunk Documentation

Question 135

Which of the following are reasons to create separate indexes? (Choose all that apply.)

ADifferent retention times.

BIncrease number of users.

CRestrict user permissions.

DFile organization.

Answer : A, C

Question 136

Which setting allows the configuration of Splunk to allow events to span over more than one line?

ASHOULD_LINEMERGE = true

BBREAK_ONLY_BEFORE_DATE = true

CBREAK_ONLY_BEFORE = <REGEX pattern>

DSHOULD_LINEMERGE = false

Answer : A

Question 137

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 138

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 139

During search time, which directory of configuration files has the highest precedence?

A$SFLUNK_KOME/etc/system/local

B$SPLUNK_KCME/etc/system/default

C$SPLUNK_HCME/etc/apps/app1/local

D$SPLUNK HCME/etc/users/admin/local

Answer : D

Adding further clarity and quoting same Splunk reference URL from @giubal'

1.Slave-app local directories -- highest priority

2. System local directory

3. App local directories

4. Slave-app default directories

5. App default directories

6. System default directory --lowest priority

Question 140

Which of the following statements describe deployment management? (select all that apply)

ARequires an Enterprise license

BIs responsible for sending apps to forwarders.

COnce used, is the only way to manage forwarders

DCan automatically restart the host OS running the forwarder.

Answer : A, B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%20requirements,do%20not%20index%20external%20data.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 141

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 142

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

ADeployer

BCluster master

CDeployment server

DSearch head cluster master

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 143

Which of the following is accurate regarding the input phase?

ABreaks data into events with timestamps.

BApplies event-level transformations.

CFine-tunes metadata.

DPerforms character encoding.

Answer : D

https://docs.splunk.com/Documentation/Splunk/latest/Deploy/Datapipeline 'The data pipeline segments in depth. INPUT - In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks it into 64K blocks, and annotates each block with some metadata keys. The keys can also include values that are used internally, such as the character encoding of the data stream, and values that control later processing of the data, such as the index into which the events should be stored. PARSING Annotating individual events with metadata copied from the source-wide keys. Transforming event data and metadata according to regex transform rules.'

Question 144

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 145

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 146

Which valid bucket types are searchable? (select all that apply)

AHot buckets

BCold buckets

CWarm buckets

DFrozen buckets

Answer : A, B, C

Hot/warm/cold/thawed bucket types are searchable. Frozen isn't searchable because its either deleted at that state or archived.

Question 147

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 148

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

ATo ensure that hot buckets are still open for writes and have not been forced to roll to a cold state

BTo ensure that configuration files have not been tampered with for auditing and/or legal purposes

CTo ensure that user passwords have not been tampered with for auditing and/or legal purposes.

DTo ensure that data has not been tampered with for auditing and/or legal purposes

Answer : D

Question 149

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 150

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

Question 151

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

AEnable indexer acknowledgment.

BEnable forwarder acknowledgment.

Csplunk check-integrity -index <index name>

Dindex=_internal component=ACK | stats count by host

Answer : A

Per the provided Splunk reference URL

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

'While HEC has precautions in place to prevent data loss, it's impossible to completely prevent such an occurrence, especially in the event of a network failure or hardware crash. This is where indexer acknolwedgment comes in.'

Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Question 152

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

AMAX_TIMESTAMP_L0CKAHEAD = 5

BMAX_TIMESTAMP_LOOKAHEAD - 10

CMAX_TIMESTAMF_LOOKHEAD = 20

DMAX TIMESTAMP LOOKAHEAD - 30

Answer : D

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Question 153

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 154

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 155

What is the default value of LINE_BREAKER?

A\r\n

B([\r\n]+)

C\r+\n+

D(\r\n+)

Answer : B

Question 156

What happens when the same username exists in Splunk as well as through LDAP?

ASplunk user is automatically deleted from authentication.conf.

BLDAP settings take precedence.

CSplunk settings take precedence.

DLDAP user is automatically deleted from authentication.conf

Answer : C

Splunk platform attempts native authentication first. If authentication fails outside of a local account that doesn't exist, there is no attempt to use LDAP to log in. This is adapted from precedence of Splunk authentication schema.

Question 157

To set up a Network input in Splunk, what needs to be specified'?

AFile path.

BUsername and password

CNetwork protocol and port number.

DNetwork protocol and MAC address.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitornetworkports

Question 158

ensure that the masking takes place successfully?

AMake sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

BFor source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

CMake sure that props . conf and transforms . conf are both present on the Universal Forwarder.

DPlace both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Answer : D

The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

References: 1: Redact data from events - Splunk Documentation 2: Where do I configure my Splunk settings? - Splunk Documentation

Question 159

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 160

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

AThe blacklist takes precedence over the whitelist.

BThe whitelist takes precedence over the blacklist.

CWildcards are not supported in any client filters.

DMachine type filters are applied before the whitelist and blacklist.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

same/td-p/390910

Question 161

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 162

When enabling data integrity control, where does Splunk Enterprise store the hash files for each bucket?

ASplunk Enterprise stores hash files in the logdata directory of the corresponding bucket.

BSplunk Enterprise stores hash files in the rawdata directory of the corresponding bucket.

CSplunk Enterprise stores hash files in the hashdata directory of the corresponding bucket.

DSplunk Enterprise stores hash files in the metadata directory of the corresponding bucket.

Answer : B

Data integrity controls in Splunk ensure that indexed data has not been tampered with.

When enabled, Splunk calculates hashes for each bucket and stores these hash files in the rawdata directory of the corresponding bucket.

Incorrect Options:

A, C, D: These directories do not store hash files.

References:

Splunk Docs: Configure data integrity controls

Question 163

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

AApp Class

BClient Class

CServer Class

DForwarder Class

Answer : C

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 164

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

AIndex once.

BMonitor interval.

COn-demand monitor.

DContinuously monitor.

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

The fastest way to add data to your Splunk Cloud instance or Splunk Enterprise deployment is to use Splunk Web. After you access the Add Data page, choose one of three options for getting data into your Splunk platform deployment with Splunk Web: (1) Upload, (2) Monitor, (3) Forward The Upload option lets you upload a file or archive of files for indexing. When you choose Upload option, Splunk Web opens the upload process page. Monitor. For Splunk Enterprise installations, the Monitor option lets you monitor one or more files, directories, network streams, scripts, Event Logs (on Windows hosts only), performance metrics, or any other type of machine data that the Splunk Enterprise instance has access to.

Question 165

How can native authentication be disabled in Splunk?

ARemove the $SPLUNK_HOME/etc/passwd file

BCreate an empty $SPLUNK_HOME/etc/passwd file

CSet SPLUNK_AUTHENTICATION=false in splunk-launch.conf

DSet nativeAuthentication=false in authentication.conf

Answer : B

Question 166

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

ADuo Administrator

BLDAP Administrator

CSAML Administrator

DTrio Administrator

Answer : A

Question 167

Which setting allows the configuration of Splunk to allow events to span over more than one line?

ASHOULD_LINEMERGE = true

BBREAK_ONLY_BEFORE_DATE = true

CBREAK_ONLY_BEFORE = <REGEX pattern>

DSHOULD_LINEMERGE = false

Answer : A

Question 168

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

ABlacklist

BWhitelist

CThey cancel each other out.

DWhichever is entered into the configuration first.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdata

'It is not necessary to define both an allow list and a deny list in a configuration stanza. The settings are independent. If you do define both filters and a file matches them both, Splunk Enterprise does not index that file, as the blacklist filter overrides the whitelist filter.' Source: https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Whitelistorblacklistspecificincomingdata

Question 169

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 170

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

AUniversal forwarder

BParsing forwarder

CHeavy forwarder

DAdvanced forwarder

Answer : C

Question 171

Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of

users?

ALinked roles

BGrantable roles

CRole federation

DRole inheritance

Answer : D

You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

Question 172

In which phase do indexed extractions in props.conf occur?

AInputs phase

BParsing phase

CIndexing phase

DSearching phase

Answer : B

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

Configurationparametersandthedatapipeline

Question 173

During search time, which directory of configuration files has the highest precedence?

A$SFLUNK_KOME/etc/system/local

B$SPLUNK_KCME/etc/system/default

C$SPLUNK_HCME/etc/apps/app1/local

D$SPLUNK HCME/etc/users/admin/local

Answer : D

Adding further clarity and quoting same Splunk reference URL from @giubal'

1.Slave-app local directories -- highest priority

2. System local directory

3. App local directories

4. Slave-app default directories

5. App default directories

6. System default directory --lowest priority

Question 174

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

Ahost

Bindex

Clinecount

Dsplunk_server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server

The splunk server field contains the name of the Splunk server containing the event. Useful in a distributed Splunk environment. Example: Restrict a search to the main index on a server named remote. splunk_server=remote index=main 404

Question 175

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 176

When using license pools, volume allocations apply to which Splunk components?

AIndexers

BIndexes

CHeavy Forwarders

DSearch Heads

Answer : A

When using license pools, volume allocations apply to indexers. A license pool is a group of indexers that share a certain amount of daily indexing volume. The license pool specifies how much data each indexer can index per day, as well as which indexes are available for each indexer. Therefore, option A is the correct answer. References:Splunk Enterprise Certified Admin | Splunk, [Set up and manage license pools - Splunk Documentation]

Question 177

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 178

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 179

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 180

What is the correct example to redact a plain-text password from raw events?

Ain props.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Bin props.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Cin transforms.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Din transforms.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Answer : B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.

References: 1: Redact data from events - Splunk Documentation

Question 181

What is the correct curl to send multiple events through HTTP Event Collector?

AOption A

BOption B

COption C

DOption D

Answer : B

curl ''https://mysplunkserver.example.com:8088/services/collector'' \ -H ''Authorization: Splunk DF4S7ZE4-3GS1-8SFS-E777-0284GG91PF67'' \ -d '{''event'': ''Hello World''}, {''event'': ''Hola Mundo''}, {''event'': ''Hallo Welt''}'. This is the correct curl command to send multiple events through HTTP Event Collector (HEC), which is a token-based API that allows you to send data to Splunk Enterprise from any application that can make an HTTP request. The command has the following components:

The URL of the HEC endpoint, which consists of the protocol (https), the hostname or IP address of the Splunk server (mysplunkserver.example.com), the port number (8088), and the service name (services/collector).

The header that contains the authorization token, which is a unique identifier that grants access to the HEC endpoint. The token is prefixed with Splunk and enclosed in quotation marks. The token value (DF4S7ZE4-3GS1-8SFS-E777-0284GG91PF67) is an example and should be replaced with your own token value.

The data payload that contains the events to be sent, which are JSON objects enclosed in curly braces and separated by commas. Each event object has a mandatory field called event, which contains the raw data to be indexed. The event value can be a string, a number, a boolean, an array, or another JSON object. In this case, the event values are strings that say hello in different languages.

Question 182

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Aadmin

Bpower

Cuser

Dsplunk-system-role

Answer : B

Question 183

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

AdiskQueueSize

BdurableQueueSize

CpersistentOueueSize

DqueueSize

Answer : C

Question 184

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 185

How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON

Aoption A

BOption B

COption C

DOption D

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups

Question 186

What is the default character encoding used by Splunk during the input phase?

AUTF-8

BUTF-16

CEBCDIC

DISO 8859

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configurecharactersetencoding

'Configure character set encoding. Splunk software attempts to apply UTF-8 encoding to your scources by default. If a source foesn't use UTF-8 encoding or is a non-ASCII file, Splunk software tries to convert data from the source to UTF-8 encoding unless you specify a character set to use by setting the CHARSET key in the props.conf file.'

Question 187

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

AMAX_TIMESTAMP_L0CKAHEAD = 5

BMAX_TIMESTAMP_LOOKAHEAD - 10

CMAX_TIMESTAMF_LOOKHEAD = 20

DMAX TIMESTAMP LOOKAHEAD - 30

Answer : D

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Question 188

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 189

Where should apps be located on the deployment server that the clients pull from?

A$SFLUNK_KOME/etc/apps

B$SPLUNK_HCME/etc/sear:ch

C$SPLUNK_HCME/etc/master-apps

D$SPLUNK HCME/etc/deployment-apps

Answer : D

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

Question 190

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

ADeployer

BCluster master

CDeployment server

DSearch head cluster master

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 191

Which setting allows the configuration of Splunk to allow events to span over more than one line?

ASHOULD_LINEMERGE = true

BBREAK_ONLY_BEFORE_DATE = true

CBREAK_ONLY_BEFORE = <REGEX pattern>

DSHOULD_LINEMERGE = false

Answer : A

Question 192

Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of

users?

ALinked roles

BGrantable roles

CRole federation

DRole inheritance

Answer : D

You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

Question 193

Which valid bucket types are searchable? (select all that apply)

AHot buckets

BCold buckets

CWarm buckets

DFrozen buckets

Answer : A, B, C

Hot/warm/cold/thawed bucket types are searchable. Frozen isn't searchable because its either deleted at that state or archived.

Question 194

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

Abucketdb

Bfrozendb

Ccolddb

Ddb

Answer : C, D

Question 195

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 196

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 197

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 198

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 199

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

AREGEX, DEST. FORMAT

BREGEX. SRC_KEY, FORMAT

CREGEX, DEST_KEY, FORMAT

DREGEX, DEST_KEY FORMATTING

Answer : C

REGEX = <regular expression>

* Enter a regular expression to operate on your data.

FORMAT = <string>

* NOTE: This option is valid for both index-time and search-time field extraction. Index-time field extraction configuration require the FORMAT settings. The FORMAT settings is optional for search-time field extraction configurations.

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = <key>

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

Question 200

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

'To activate deployment server, you must place at least one app into %SPLUNK_HOME%\etc\deployment-apps on the host you want to act as deployment server. In this case, the app is the 'send to indexer' app you created earlier, and the host is the indexer you set up initially.

Question 201

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 202

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 203

Which of the following are required when defining an index in indexes. conf? (select all that apply)

AcoldPath

BhomePath

CfrozenPath

DthawedPath

Answer : A, B, D

homePath = $SPLUNK_DB/hatchdb/db

coldPath = $SPLUNK_DB/hatchdb/colddb

thawedPath = $SPLUNK_DB/hatchdb/thaweddb

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

Question 204

Where should apps be located on the deployment server that the clients pull from?

A$SFLUNK_KOME/etc/apps

B$SPLUNK_HCME/etc/sear:ch

C$SPLUNK_HCME/etc/master-apps

D$SPLUNK HCME/etc/deployment-apps

Answer : D

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

Question 205

What is the correct curl to send multiple events through HTTP Event Collector?

AOption A

BOption B

COption C

DOption D

Answer : B

Question 206

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

AchannelTTL

BconnectionTimeout

CautoLBFrequency

DsecsInFailurelnterval

Answer : C

Question 207

What is the correct order of steps in Duo Multifactor Authentication?

A1 Request Login
2. Connect to SAML server
3 Duo MFA
4 Create User session
5 Authentication Granted 6. Log into Splunk

B1. Request Login 2 Duo MFA
3. Authentication Granted 4 Connect to SAML server
5. Log into Splunk
6. Create User session

C1 Request Login
2 Check authentication / group mapping
3 Authentication Granted
4. Duo MFA
5. Create User session
6. Log into Splunk

D1 Request Login 2 Duo MFA
3. Check authentication / group mapping
4 Create User session
5. Authentication Granted
6 Log into Splunk

Answer : C

Using the provided DUO/Splunk reference URL https://duo.com/docs/splunk

Scroll down to the Network Diagram section and note the following 6 similar steps

1 - SPlunk connection initiated

2 - Primary authentication

3 - Splunk connection established to Duo Security over TCP port 443

4 - Secondary authentication via Duo Security's service

5 - Splunk receives authentication response

6 - Splunk session logged in.

Question 208

Which of the following is accurate regarding the input phase?

ABreaks data into events with timestamps.

BApplies event-level transformations.

CFine-tunes metadata.

DPerforms character encoding.

Answer : D

Question 209

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 210

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 211

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 212

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

Ahost=server1
index=unixinfo

Bhost=server1
index=searchinfo

Chost=searchsvr1
index=searchinfo

Dhost=unixsvr1
index=unixinfo

Answer : A

- etc/system/local/ has better precedence at index time - for identical settings in the same file, the last one overwrite others, see : https://community.splunk.com/t5/Getting-Data-In/What-is-the-precedence-for-identical-stanzas-within-a-single/m-p/283566

Question 213

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?

AUpdate the user in Splunk web informing them that the results of their search may be incomplete.

BRepeat the search request on indexer B without informing the user.

CUpdate the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.

DInform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

Answer : A

This is explained in the Splunk documentation1, which states:

If an indexer goes down during a search, the search head notifies you that the results might be incomplete. The search head does not attempt to re-run the search on another indexer.

Question 214

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

AAny OS platform

BLinux platform only

CWindows platform only.

DNone of the above.

Answer : A

'The forwarder/indexer relationship can be considered platform agnostic (within the sphere of supported platforms) because they exchange their data handshake (and the data, if you wish) over TCP.

Question 215

Which Splunk component requires a Forwarder license?

ASearch head

BHeavy forwarder

CHeaviest forwarder

DUniversal forwarder

Answer : B

Question 216

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin generating internal Splunk logs.

CBegin reading local files on its server.

DSend an email to the operator that the installation process has completed.

Answer : B

Immediately after installation, a universal forwarder will start generating internal Splunk logs that contain information about its own operation, such as configuration changes, data inputs, and forwarding activities1.These logs are stored in the $SPLUNK_HOME/var/log/splunk directory on the universal forwarder machine1.The universal forwarder will not automatically detect any indexers in its subnet and begin routing data, as it needs to be configured with the IP address and port number of the indexer or the deployment server2.The universal forwarder will not begin reading local files on its server, as it needs to be configured with the data inputs that specify which files or directories to monitor2.The universal forwarder will not send an email to the operator that the installation process has completed, as this is not a default behavior of the universal forwarder and would require additional configuration3.

Question 217

Which of the following types of data count against the license daily quota?

AReplicated data

Bsplunkd logs

CSummary index data

DWindows internal logs

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Distdeploylicenses#Clustered_deployments_and_licensing_issues

Question 218

How is a remote monitor input distributed to forwarders?

AAs an app.

BAs a forward.conf file.

CAs a monitor.conf file.

DAs a forwarder monitor profile.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents

Question 219

What are the minimum required settings when creating a network input in Splunk?

AProtocol, port number

BProtocol, port, location

CProtocol, username, port

DProtocol, IP. port number

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf

[tcp://<remote server>:]

*Configures the input to listen on a specific TCP network port.

*If a <remote server> makes a connection to this instance, the input uses this stanza to configure itself.

*If you do not specify <remote server>, this stanza matches all connections on the specified port.

*Generates events with source set to 'tcp:', for example: tcp:514

*If you do not specify a sourcetype, generates events with sourcetype set to 'tcp-raw'

Question 220

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

AOn Universal Forwarder, $SPLUNK_HOME/etc/apps

BOn Deployment Server, $SPLUNK_HOME/etc/apps

COn Deployment Server, $SPLUNK_HOME/etc/deployment-apps

DOn Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

DOn Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps. This is not a valid location for any app on a universal forwarder. The universal forwarder does not act as a deployment server and does not store deployment apps3.

Answer : C

The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps.

A deployment server is a Splunk Enterprise instance that acts as a centralized configuration manager for any number of other instances, called ''deployment clients''. A deployment client can be a universal forwarder, a non-clustered indexer, or a search head1.

A deployment app is a directory that contains any content that you want to download to a set of deployment clients. The content can include a Splunk Enterprise app, a set of Splunk Enterprise configurations, or other content, such as scripts, images, and supporting files2.

You create a deployment app by creating a directory for it on the deployment server. The default location is $SPLUNK_HOME/etc/deployment-apps, but this is configurable through the repositoryLocation attribute in serverclass.conf. Underneath this location, each app must have its own subdirectory. The name of the subdirectory serves as the app name in the forwarder management interface2.

The other options are incorrect because:

A . On Universal Forwarder, $SPLUNK_HOME/etc/apps. This is the location where the deployment app resides after it is downloaded from the deployment server to the universal forwarder. It is not the location of the app before it is deployed2.

B . On Deployment Server, $SPLUNK_HOME/etc/apps. This is the location where the apps that are specific to the deployment server itself reside. It is not the location where the deployment apps for the clients are stored2.

Question 221

The CLI command splunk add forward-server indexer: will create stanza(s) in

which configuration file?

Ainputs.conf

Bindexes.conf

Coutputs.conf

Dservers.conf

Answer : C

https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configureforwardingwithoutputs.conf

Question 222

Which of the following statements describes how distributed search works?

AForwarders pull data from the search peers.

BSearch heads store a portion of the searchable data.

CThe search head dispatches searches to the search peers.

DSearch results are replicated within the indexer cluster.

Answer : C

URL https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Configuredistributedsearch

'To activate distributed search, you add search peers, or indexers, to a Splunk Enterprise instance that you desingate as a search head. You do this by specifying each search peer manually.'

Question 223

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

Abucketdb

Bfrozendb

Ccolddb

Ddb

Answer : C, D

Question 224

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

AThe blacklist takes precedence over the whitelist.

BThe whitelist takes precedence over the blacklist.

CWildcards are not supported in any client filters.

DMachine type filters are applied before the whitelist and blacklist.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

same/td-p/390910

Question 225

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 226

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

ALDAP

BSAML

CRADIUS

DDuo Multifactor Authentication

Answer : A, B, C

Question 227

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 228

What is the correct curl to send multiple events through HTTP Event Collector?

AOption A

BOption B

COption C

DOption D

Answer : B

Question 229

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

'The Splunk platform collects remote Windows data for indexing in one of two ways: From Splunk forwarders, Using Windows Management Instrumentation (WMI). For Splunk Cloud deployments, you must use the Splunk Universal Forwarder on a Windows machines to montior remote Windows data.'

Question 230

A new forwarder has been installed with a manually created deploymentclient.conf.

What is the next step to enable the communication between the forwarder and the deployment server?

ARestart Splunk on the deployment server.

BEnable the deployment client in Splunk Web under Forwarder Management.

CRestart Splunk on the deployment client.

DWait for up to the time set in the phoneHomeIntervalInSecs setting.

Answer : C

Question 231

Which of the following is a valid distributed search group?

A[distributedSearch:Paris] default = false servers = server1, server2

B[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Answer : D

https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Distributedsearchgroups

Question 232

How do you remove missing forwarders from the Monitoring Console?

ABy restarting Splunk.

BBy rescanning active forwarders.

CBy reloading the deployment server.

DBy rebuilding the forwarder asset table.

Answer : D

Question 233

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A$SFLUNK_HOME/bin/scripts

B$SPLUNK_HOME/etc/apps/bin

C$SPLUNK_HOME/etc/system/bin

D$S?LUNK_HOME/etc/apps/<your_app>/bin_

Answer : A, C, D

'Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system:

$SPLUNK_HOME/etc/system/bin

$SPLUNK_HOME/etc/apps/<your_App>/bin

$SPLUNK_HOME/bin/scripts

As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system.'

Question 234

How can native authentication be disabled in Splunk?

ARemove the $SPLUNK_HOME/etc/passwd file

BCreate an empty $SPLUNK_HOME/etc/passwd file

CSet SPLUNK_AUTHENTICATION=false in splunk-launch.conf

DSet nativeAuthentication=false in authentication.conf

Answer : B

Question 235

Which setting allows the configuration of Splunk to allow events to span over more than one line?

ASHOULD_LINEMERGE = true

BBREAK_ONLY_BEFORE_DATE = true

CBREAK_ONLY_BEFORE = <REGEX pattern>

DSHOULD_LINEMERGE = false

Answer : A

Question 236

When using license pools, volume allocations apply to which Splunk components?

AIndexers

BIndexes

CHeavy Forwarders

DSearch Heads

Answer : A

Question 237

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin generating internal Splunk logs.

CBegin reading local files on its server.

DSend an email to the operator that the installation process has completed.

Answer : B

Question 238

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 239

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations

found in props.conf to be validated all through the UI?

AApps

BSearch

CData preview

DForwarder inputs

Answer : C

http://www.splunk.com/view/SP-CAAAGPR

Question 240

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

Abucketdb

Bfrozendb

Ccolddb

Ddb

Answer : C, D

Question 241

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 242

The CLI command splunk add forward-server indexer: will create stanza(s) in

which configuration file?

Ainputs.conf

Bindexes.conf

Coutputs.conf

Dservers.conf

Answer : C

https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configureforwardingwithoutputs.conf

Question 243

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 244

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

AIndexer

BDeployer

CForwarder

DDeployment server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations

First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 245

Which valid bucket types are searchable? (select all that apply)

AHot buckets

BCold buckets

CWarm buckets

DFrozen buckets

Answer : A, B, C

Hot/warm/cold/thawed bucket types are searchable. Frozen isn't searchable because its either deleted at that state or archived.

Question 246

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 247

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

AOn Universal Forwarder, $SPLUNK_HOME/etc/apps

BOn Deployment Server, $SPLUNK_HOME/etc/apps

COn Deployment Server, $SPLUNK_HOME/etc/deployment-apps

DOn Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Answer : C

The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps.

The other options are incorrect because:

Question 248

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 249

When using license pools, volume allocations apply to which Splunk components?

AIndexers

BIndexes

CHeavy Forwarders

DSearch Heads

Answer : A

Question 250

Which of the methods listed below supports muti-factor authentication?

ALightweight Directory Access Protocol (LDAP)

BSecurity Assertion Markup Language (SAML)

CSingle Sign-on (SSO)

DOpenlD

Answer : B

Question 251

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 252

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 253

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

AchannelTTL

BconnectionTimeout

CautoLBFrequency

DsecsInFailurelnterval

Answer : C

Question 254

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

Question 255

ensure that the masking takes place successfully?

AMake sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

BFor source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

CMake sure that props . conf and transforms . conf are both present on the Universal Forwarder.

DPlace both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Answer : D

The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

References: 1: Redact data from events - Splunk Documentation 2: Where do I configure my Splunk settings? - Splunk Documentation

Question 256

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A$SFLUNK_HOME/bin/scripts

B$SPLUNK_HOME/etc/apps/bin

C$SPLUNK_HOME/etc/system/bin

D$S?LUNK_HOME/etc/apps/<your_app>/bin_

Answer : A, C, D

'Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system:

$SPLUNK_HOME/etc/system/bin

$SPLUNK_HOME/etc/apps/<your_App>/bin

$SPLUNK_HOME/bin/scripts

As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system.'

Question 257

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Question 258

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 259

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

AIndex once.

BMonitor interval.

COn-demand monitor.

DContinuously monitor.

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

Question 260

What happens when there are conflicting settings within two or more configuration files?

AThe setting is ignored until conflict is resolved.

BThe setting for both values will be used together.

CThe setting with the lowest precedence is used.

DThe setting with the highest precedence is used.

Answer : D

Question 261

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 262

What is the default character encoding used by Splunk during the input phase?

AUTF-8

BUTF-16

CEBCDIC

DISO 8859

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configurecharactersetencoding

Question 263

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 264

A Splunk administrator has been tasked with developing a retention strategy to have frequently accessed data sets on SSD storage and to have older, less frequently accessed data on slower NAS storage. They have set a mount point for the NAS. Which parameter do they need to modify to set the path for the older, less frequently accessed data in indexes.conf?

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

The coldPath parameter defines the path for the cold buckets, which are the oldest and least frequently accessed data in an index1. By setting the coldPath to point to the NAS mount point, the Splunk administrator can achieve the retention strategy of having older data on slower NAS storage.

Question 265

Which of the following are methods for adding inputs in Splunk? (select all that apply)

ACLI

BSplunk Web

CEditing inputs. conf

DEditing monitor. conf

Answer : A, B, C

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Configureyourinputs

Question 266

Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

AIt requires a separate channel provided by the client.

BIt is configured the same as indexer acknowledgement used to protect in-flight data.

CIt can be enabled at the global setting level.

DIt stores status information on the Splunk server.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/AboutHECIDXAck

- Section: About channels and sending data

Sending events to HEC with indexer acknowledgment active is similar to sending them with the setting off. There is one crucial difference: when you have indexer acknowledgment turned on, you must specify a channel when you send events. The concept of a channel was introduced in HEC primarily to prevent a fast client from impeding the performance of a slow client. When you assign one channel per client, because channels are treated equally on Splunk Enterprise, one client can't affect another. You must include a matching channel identifier both when sending data to HEC in an HTTP request and when requesting acknowledgment that events contained in the request have been indexed. If you don't, you will receive the error message, 'Data channel is missing.' Each request that includes a token for which indexer acknowledgment has been enabled must include a channel identifier, as shown in the following example cURL statement, where <data> represents the event data portion of the request

Question 267

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

AIf Splunk is restarted, data will be queued and then sent when Splunk has restarted.

BLocal firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

CThe host value associated with data received will be the IP address that sent the data.

DIf Splunk is restarted, data may be lost.

Answer : D

This is because the input type is UDP, which is an unreliable protocol that does not guarantee delivery, order, or integrity of the data packets. UDP does not have any mechanism to resend or acknowledge the data packets, so if Splunk is restarted, any data that was in transit or in the buffer may be dropped and not indexed.

Question 268

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 269

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

Question 270

Which additional component is required for a search head cluster?

ADeployer

BCluster Master

CMonitoring Console

DManagement Console

Answer : A

Question 271

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 272

Which of the following is the use case for the deployment server feature of Splunk?

AManaging distributed workloads in a Splunk environment.

BAutomating upgrades of Splunk forwarder installations on endpoints.

COrchestrating the operations and scale of a containerized Splunk deployment.

DUpdating configuration and distributing apps to processing components, primarily forwarders.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 273

When enabling data integrity control, where does Splunk Enterprise store the hash files for each bucket?

ASplunk Enterprise stores hash files in the logdata directory of the corresponding bucket.

BSplunk Enterprise stores hash files in the rawdata directory of the corresponding bucket.

CSplunk Enterprise stores hash files in the hashdata directory of the corresponding bucket.

DSplunk Enterprise stores hash files in the metadata directory of the corresponding bucket.

Answer : B

Data integrity controls in Splunk ensure that indexed data has not been tampered with.

When enabled, Splunk calculates hashes for each bucket and stores these hash files in the rawdata directory of the corresponding bucket.

Incorrect Options:

A, C, D: These directories do not store hash files.

References:

Splunk Docs: Configure data integrity controls

Question 274

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 275

In which phase do indexed extractions in props.conf occur?

AInputs phase

BParsing phase

CIndexing phase

DSearching phase

Answer : B

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

Configurationparametersandthedatapipeline

Question 276

How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON

Aoption A

BOption B

COption C

DOption D

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups

Question 277

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 278

What happens when the same username exists in Splunk as well as through LDAP?

ASplunk user is automatically deleted from authentication.conf.

BLDAP settings take precedence.

CSplunk settings take precedence.

DLDAP user is automatically deleted from authentication.conf

Answer : C

Question 279

Within props. conf, which stanzas are valid for data modification? (select all that apply)

AHost

BServer

CSource

DSourcetype

Answer : A, C, D

https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf

'* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts.' https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

Question 280

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/Updating/Definedeploymentclasses#Ways_to_define_server_classes 'When you use forwarder management to create a new server class, it saves the server class definition in a copy of serverclass.conf under $SPLUNK_HOME/etc/system/local. If, instead of using forwarder management, you decide to directly edit serverclass.conf, it is recommended that you create the serverclass.conf file in that same directory, $SPLUNK_HOME/etc/system/local.'

Question 281

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

Question 282

After how many warnings within a rolling 30-day period will a license violation occur with an enforced

Enterprise license?

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

Question 283

Which of the following is a valid distributed search group?

A[distributedSearch:Paris] default = false servers = server1, server2

B[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Answer : D

https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Distributedsearchgroups

Question 284

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

The CLI command to view the current forwarder to indexer configuration is splunk list forward-server. This command displays the hostnames and port numbers of the indexers that the forwarder sends data to. Therefore, option C is the correct answer. References:Splunk Enterprise Certified Admin | Splunk, [Use CLI commands to manage your forwarders - Splunk Documentation]

Question 285

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A_license

B_lnternal

C_external

D_thefishbucket

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 286

Which of the following methods will connect a deployment client to a deployment server? (select all that apply)

ARun $SPLUNK_ROME/bin/ splunk set deploy-poll : from the command line of the deployment client.

BCreate and edit a deploymentserver . conf file in SSPLVNE{ on the deployment server.

CCreate and edit a deploymentclient . conf file in SSPLTJNE( EOME/etc/ system/local on the deployment client.

DRun $SPLUNK ROME/bin/spiunk set deploy-poi i : from the command line of the deployment server.

Answer : A, C

The correct methods to connect a deployment client to a deployment server are A and C.You can either run the commandsplunk set deploy-poll <IP_address/hostname>:<management_port>from the command line of the deployment client1or create and edit a deploymentclient.conf file in$SPLUNK_HOME/etc/system/localon the deployment client2. Both methods require you to specify the IP address, hostname, and management port of the deployment server that you want the client to connect to.

Question 287

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

ABlacklist

BWhitelist

CThey cancel each other out.

DWhichever is entered into the configuration first.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdata

Question 288

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Question 289

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

AdiskQueueSize

BdurableQueueSize

CpersistentOueueSize

DqueueSize

Answer : C

Question 290

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

Question 291

Event processing occurs at which phase of the data pipeline?

ASearch

BIndexing

CParsing

DInput

Answer : C

Question 292

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

Ahost

Bindex

Clinecount

Dsplunk_server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server

Question 293

Which of the following are required when defining an index in indexes. conf? (select all that apply)

AcoldPath

BhomePath

CfrozenPath

DthawedPath

Answer : A, B, D

homePath = $SPLUNK_DB/hatchdb/db

coldPath = $SPLUNK_DB/hatchdb/colddb

thawedPath = $SPLUNK_DB/hatchdb/thaweddb

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

Question 294

Within props. conf, which stanzas are valid for data modification? (select all that apply)

AHost

BServer

CSource

DSourcetype

Answer : A, C, D

https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf

'* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts.' https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

Question 295

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

AOn Universal Forwarder, $SPLUNK_HOME/etc/apps

BOn Deployment Server, $SPLUNK_HOME/etc/apps

COn Deployment Server, $SPLUNK_HOME/etc/deployment-apps

DOn Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Answer : C

The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps.

The other options are incorrect because:

Question 296

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 297

Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

Event:

[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

ASEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g

BSEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g

CSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g

DSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata

Scrolling down to the section titled 'Define the sed script in props.conf shows the correct syntax of an example which validates that the number/character /1 immediately preceded the /g

Question 298

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 299

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

AIf Splunk is restarted, data will be queued and then sent when Splunk has restarted.

BLocal firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

CThe host value associated with data received will be the IP address that sent the data.

DIf Splunk is restarted, data may be lost.

Answer : D

Question 300

Which of the following is an acceptable channel value when using the HTTP Event Collector indexer acknowledgment capability?

AGUID

BDNS

CHash Checksum

DIP Address

Answer : A

The HTTP Event Collector (HEC) supports indexer acknowledgment to confirm event delivery. Each acknowledgment is associated with a unique GUID (Globally Unique Identifier).

GUID ensures events are not re-indexed in the case of retries.

Incorrect Options:

B, C, D: These are not valid channel values in HEC acknowledgments.

References:

Splunk Docs: Use indexer acknowledgment with HTTP Event Collector

Question 301

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

Abucketdb

Bfrozendb

Ccolddb

Ddb

Answer : C, D

Question 302

Which data pipeline phase is the last opportunity for defining event boundaries?

AInput phase

BIndexing phase

CParsing phase

DSearch phase

Answer : C

Reference https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatapipeline

Question 303

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?

AUpdate the user in Splunk web informing them that the results of their search may be incomplete.

BRepeat the search request on indexer B without informing the user.

CUpdate the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.

DInform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

Answer : A

This is explained in the Splunk documentation1, which states:

If an indexer goes down during a search, the search head notifies you that the results might be incomplete. The search head does not attempt to re-run the search on another indexer.

Question 304

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

AIndex once.

BMonitor interval.

COn-demand monitor.

DContinuously monitor.

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

Question 305

Which forwarder type can parse data prior to forwarding?

AUniversal forwarder

BHeaviest forwarder

CHyper forwarder

DHeavy forwarder

Answer : D

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Typesofforwarders

'A heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event.'

Question 306

How can native authentication be disabled in Splunk?

ARemove the $SPLUNK_HOME/etc/passwd file

BCreate an empty $SPLUNK_HOME/etc/passwd file

CSet SPLUNK_AUTHENTICATION=false in splunk-launch.conf

DSet nativeAuthentication=false in authentication.conf

Answer : B

Question 307

Which of the following is a benefit of distributed search?

APeers run search in sequence.

BPeers run search in parallel.

CResilience from indexer failure.

DResilience from search head failure.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch

Parallel reduce search processing If you struggle with extremely large high-cardinality searches, you might be able to apply parallel reduce processing to them to help them complete faster. You must have a distributed search environment to use parallel reduce search processing.

Question 308

Which of the following enables compression for universal forwarders in outputs. conf ?

AOption A

BOption B

COption C

DOption D

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

# Compression

# This example sends compressed events to the remote indexer.

# NOTE: Compression can be enabled TCP or SSL outputs only.

# The receiver input port should also have compression enabled.

[tcpout]

server = splunkServer.example.com:4433

compressed = true

Question 309

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 310

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 311

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A_license

B_lnternal

C_external

D_thefishbucket

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 312

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 313

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Aindex=main

Bindex=test

Cindex=summary

Dindex=_internal

Answer : D

Question 314

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

ADuo Administrator

BLDAP Administrator

CSAML Administrator

DTrio Administrator

Answer : A

Question 315

Local user accounts created in Splunk store passwords in which file?

A$ SFLUNK_HOME/etc/passwd

B$ SFLUNK_HOME/etc/authentication

C$ S?LUNK_HOME/etc/users/passwd.conf

D$ SPLUNK HOME/etc/users/authentication.conf

Answer : A

Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf

Question 316

How can native authentication be disabled in Splunk?

ARemove the $SPLUNK_HOME/etc/passwd file

BCreate an empty $SPLUNK_HOME/etc/passwd file

CSet SPLUNK_AUTHENTICATION=false in splunk-launch.conf

DSet nativeAuthentication=false in authentication.conf

Answer : B

Question 317

What is the correct example to redact a plain-text password from raw events?

Ain props.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Bin props.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Cin transforms.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Din transforms.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Answer : B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.

References: 1: Redact data from events - Splunk Documentation

Question 318

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 319

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Aprops.conf

Bsourcetypes.conf

Ctransforms.conf

Doutputs.conf

Answer : A

When using a directory monitor input, specific source types can be selectively overridden using props.conf. The props.conf file contains settings for parsing and indexing data, as well as search-time field extractions. The props.conf file can be used to assign or change source types for specific inputs using the sourcetype attribute. Therefore, option A is the correct answer. References:Splunk Enterprise Certified Admin | Splunk, [Configure directory monitor inputs - Splunk Documentation]

Question 320

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 321

Which forwarder type can parse data prior to forwarding?

AUniversal forwarder

BHeaviest forwarder

CHyper forwarder

DHeavy forwarder

Answer : D

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Typesofforwarders

'A heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event.'

Question 322

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 323

What is the correct order of steps in Duo Multifactor Authentication?

A1 Request Login
2. Connect to SAML server
3 Duo MFA
4 Create User session
5 Authentication Granted 6. Log into Splunk

B1. Request Login 2 Duo MFA
3. Authentication Granted 4 Connect to SAML server
5. Log into Splunk
6. Create User session

C1 Request Login
2 Check authentication / group mapping
3 Authentication Granted
4. Duo MFA
5. Create User session
6. Log into Splunk

D1 Request Login 2 Duo MFA
3. Check authentication / group mapping
4 Create User session
5. Authentication Granted
6 Log into Splunk

Answer : C

Using the provided DUO/Splunk reference URL https://duo.com/docs/splunk

Scroll down to the Network Diagram section and note the following 6 similar steps

1 - SPlunk connection initiated

2 - Primary authentication

3 - Splunk connection established to Duo Security over TCP port 443

4 - Secondary authentication via Duo Security's service

5 - Splunk receives authentication response

6 - Splunk session logged in.

Question 324

How is data handled by Splunk during the input phase of the data ingestion process?

AData is treated as streams.

BData is broken up into events.

CData is initially written to disk.

DData is measured by the license meter.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

'In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys.'

Question 325

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

A/var/log/messages

B/var/log/maillog

C/var/log/maillog and /var/log/messages

Dnone of the above

Answer : B

Question 326

Which setting allows the configuration of Splunk to allow events to span over more than one line?

ASHOULD_LINEMERGE = true

BBREAK_ONLY_BEFORE_DATE = true

CBREAK_ONLY_BEFORE = <REGEX pattern>

DSHOULD_LINEMERGE = false

Answer : A

Question 327

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

ABlacklist

BWhitelist

CThey cancel each other out.

DWhichever is entered into the configuration first.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdata

Question 328

Which of the following statements describes how distributed search works?

AForwarders pull data from the search peers.

BSearch heads store a portion of the searchable data.

CThe search head dispatches searches to the search peers.

DSearch results are replicated within the indexer cluster.

Answer : C

URL https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Configuredistributedsearch

'To activate distributed search, you add search peers, or indexers, to a Splunk Enterprise instance that you desingate as a search head. You do this by specifying each search peer manually.'

Question 329

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 330

In inputs. conf, which stanza would mean Splunk was only reading one local file?

A[read://opt/log/crashlog/Jan27crash.txt]

B[monitor::/ opt/log/crashlog/Jan27crash.txt]

C[monitor:/// opt/log/]

D[monitor:/// opt/log/ crashlog/Jan27crash.txt]

Answer : B

Question 331

Local user accounts created in Splunk store passwords in which file?

A$ SFLUNK_HOME/etc/passwd

B$ SFLUNK_HOME/etc/authentication

C$ S?LUNK_HOME/etc/users/passwd.conf

D$ SPLUNK HOME/etc/users/authentication.conf

Answer : A

Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf

Question 332

Which of the following is a valid distributed search group?

A[distributedSearch:Paris] default = false servers = server1, server2

B[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Answer : D

https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Distributedsearchgroups

Question 333

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

AIndex once.

BMonitor interval.

COn-demand monitor.

DContinuously monitor.

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

Question 334

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

AMap Users

BMap Groups

CMap LDAP Inheritance

DMap LDAP to Active Directory

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb

Question 335

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 336

When using license pools, volume allocations apply to which Splunk components?

AIndexers

BIndexes

CHeavy Forwarders

DSearch Heads

Answer : A

Question 337

Which data pipeline phase is the last opportunity for defining event boundaries?

AInput phase

BIndexing phase

CParsing phase

DSearch phase

Answer : C

Reference https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatapipeline

Question 338

To set up a Network input in Splunk, what needs to be specified'?

AFile path.

BUsername and password

CNetwork protocol and port number.

DNetwork protocol and MAC address.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitornetworkports

Question 339

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 340

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 341

Which Splunk component does a search head primarily communicate with?

AIndexer

BForwarder

CCluster master

DDeployment server

Answer : A

Question 342

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

A/var/log/messages

B/var/log/maillog

C/var/log/maillog and /var/log/messages

Dnone of the above

Answer : B

Question 343

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 344

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 345

What are the minimum required settings when creating a network input in Splunk?

AProtocol, port number

BProtocol, port, location

CProtocol, username, port

DProtocol, IP. port number

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf

[tcp://<remote server>:]

*Configures the input to listen on a specific TCP network port.

*If a <remote server> makes a connection to this instance, the input uses this stanza to configure itself.

*If you do not specify <remote server>, this stanza matches all connections on the specified port.

*Generates events with source set to 'tcp:', for example: tcp:514

*If you do not specify a sourcetype, generates events with sourcetype set to 'tcp-raw'

Question 346

Which layers are involved in Splunk configuration file layering? (select all that apply)

AApp context

BUser context

CGlobal context

DForwarder context

Answer : A, B, C

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

To determine the order of directories for evaluating configuration file precedence, Splunk software considers each file's context. Configuration files operate in either a global context or in the context of the current app and user: Global. Activities like indexing take place in a global context. They are independent of any app or user. For example, configuration files that determine monitoring or indexing behavior occur outside of the app and user context and are global in nature. App/user. Some activities, like searching, take place in an app or user context. The app and user context is vital to search-time processing, where certain knowledge objects or actions might be valid only for specific users in specific apps.

Question 347

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin reading local files on its server.

CBegin generating internal Splunk logs.

DSend an email to the operator that the installation process has completed.

Answer : C

Question 348

Running this search in a distributed environment:

On what Splunk component does the eval command get executed?

AHeavy Forwarders

BUniversal Forwarders

CSearch peers

DSearch heads

Answer : C

The eval command is a distributable streaming command, which means that it can run on the search peers in a distributed environment1.The search peers are the indexers that store the data and perform the initial steps of the search processing2.The eval command calculates an expression and puts the resulting value into a search results field1. In your search, you are using the eval command to create a new field called ''responsible_team'' based on the values in the ''account'' field.

Question 349

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A_license

B_lnternal

C_external

D_thefishbucket

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 350

Which of the following statements describe deployment management? (select all that apply)

ARequires an Enterprise license

BIs responsible for sending apps to forwarders.

COnce used, is the only way to manage forwarders

DCan automatically restart the host OS running the forwarder.

Answer : A, B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%20requirements,do%20not%20index%20external%20data.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 351

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 352

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

ADisk

BCPUs

CMemory

DNetwork interface cards

Answer : B

https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCarchitecture

Question 353

Which is a valid stanza for a network input?

A[udp://172.16.10.1:9997]
connection = dns
sourcetype = dns

B[any://172.16.10.1:10001]
connection_host = ip
sourcetype = web

C[tcp://172.16.10.1:9997]
connection_host = web
sourcetype = web

D[tcp://172.16.10.1:10001]
connection_host = dns
sourcetype = dns

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports

Bypassautomaticsourcetypeassignment

Question 354

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Aadmin

Bpower

Cuser

Dsplunk-system-role

Answer : B

Question 355

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 356

Which of the following is an acceptable channel value when using the HTTP Event Collector indexer acknowledgment capability?

AGUID

BDNS

CHash Checksum

DIP Address

Answer : A

The HTTP Event Collector (HEC) supports indexer acknowledgment to confirm event delivery. Each acknowledgment is associated with a unique GUID (Globally Unique Identifier).

GUID ensures events are not re-indexed in the case of retries.

Incorrect Options:

B, C, D: These are not valid channel values in HEC acknowledgments.

References:

Splunk Docs: Use indexer acknowledgment with HTTP Event Collector

Question 357

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

AEnable indexer acknowledgment.

BEnable forwarder acknowledgment.

Csplunk check-integrity -index <index name>

Dindex=_internal component=ACK | stats count by host

Answer : A

Per the provided Splunk reference URL

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Question 358

Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

AIt requires a separate channel provided by the client.

BIt is configured the same as indexer acknowledgement used to protect in-flight data.

CIt can be enabled at the global setting level.

DIt stores status information on the Splunk server.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/AboutHECIDXAck

- Section: About channels and sending data

Question 359

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 360

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 361

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

AThe blacklist takes precedence over the whitelist.

BThe whitelist takes precedence over the blacklist.

CWildcards are not supported in any client filters.

DMachine type filters are applied before the whitelist and blacklist.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

same/td-p/390910

Question 362

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

AUniversal forwarder

BParsing forwarder

CHeavy forwarder

DAdvanced forwarder

Answer : C

Question 363

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin reading local files on its server.

CBegin generating internal Splunk logs.

DSend an email to the operator that the installation process has completed.

Answer : C

Question 364

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 365

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 366

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 367

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?

AUpdate the user in Splunk web informing them that the results of their search may be incomplete.

BRepeat the search request on indexer B without informing the user.

CUpdate the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.

DInform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

Answer : A

This is explained in the Splunk documentation1, which states:

If an indexer goes down during a search, the search head notifies you that the results might be incomplete. The search head does not attempt to re-run the search on another indexer.

Question 368

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 369

Which of the following is accurate regarding the input phase?

ABreaks data into events with timestamps.

BApplies event-level transformations.

CFine-tunes metadata.

DPerforms character encoding.

Answer : D

Question 370

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 371

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

ATo ensure that hot buckets are still open for writes and have not been forced to roll to a cold state

BTo ensure that configuration files have not been tampered with for auditing and/or legal purposes

CTo ensure that user passwords have not been tampered with for auditing and/or legal purposes.

DTo ensure that data has not been tampered with for auditing and/or legal purposes

Answer : D

Question 372

A new forwarder has been installed with a manually created deploymentclient.conf.

What is the next step to enable the communication between the forwarder and the deployment server?

ARestart Splunk on the deployment server.

BEnable the deployment client in Splunk Web under Forwarder Management.

CRestart Splunk on the deployment client.

DWait for up to the time set in the phoneHomeIntervalInSecs setting.

Answer : C

Question 373

To set up a Network input in Splunk, what needs to be specified'?

AFile path.

BUsername and password

CNetwork protocol and port number.

DNetwork protocol and MAC address.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitornetworkports

Question 374

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations

found in props.conf to be validated all through the UI?

AApps

BSearch

CData preview

DForwarder inputs

Answer : C

http://www.splunk.com/view/SP-CAAAGPR

Question 375

Where should apps be located on the deployment server that the clients pull from?

A$SFLUNK_KOME/etc/apps

B$SPLUNK_HCME/etc/sear:ch

C$SPLUNK_HCME/etc/master-apps

D$SPLUNK HCME/etc/deployment-apps

Answer : D

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

Question 376

What happens when the same username exists in Splunk as well as through LDAP?

ASplunk user is automatically deleted from authentication.conf.

BLDAP settings take precedence.

CSplunk settings take precedence.

DLDAP user is automatically deleted from authentication.conf

Answer : C

Question 377

Consider the following stanza in inputs.conf:

What will the value of the source filed be for events generated by this scripts input?

A/opt/splunk/ecc/apps/search/bin/liscer.sh

Bunknown

Cliscer

Dliscer.sh

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Inputsconf

-Scroll down to source = <string>

*Default: the input file path

Question 378

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

Ahost=server1
index=unixinfo

Bhost=server1
index=searchinfo

Chost=searchsvr1
index=searchinfo

Dhost=unixsvr1
index=unixinfo

Answer : A

Question 379

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 380

Which layers are involved in Splunk configuration file layering? (select all that apply)

AApp context

BUser context

CGlobal context

DForwarder context

Answer : A, B, C

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Question 381

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

AEnable indexer acknowledgment.

BEnable forwarder acknowledgment.

Csplunk check-integrity -index <index name>

Dindex=_internal component=ACK | stats count by host

Answer : A

Per the provided Splunk reference URL

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Question 382

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 383

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 384

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 385

Which valid bucket types are searchable? (select all that apply)

AHot buckets

BCold buckets

CWarm buckets

DFrozen buckets

Answer : A, B, C

Hot/warm/cold/thawed bucket types are searchable. Frozen isn't searchable because its either deleted at that state or archived.

Question 386

How is data handled by Splunk during the input phase of the data ingestion process?

AData is treated as streams.

BData is broken up into events.

CData is initially written to disk.

DData is measured by the license meter.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

'In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys.'

Question 387

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A$SFLUNK_HOME/bin/scripts

B$SPLUNK_HOME/etc/apps/bin

C$SPLUNK_HOME/etc/system/bin

D$S?LUNK_HOME/etc/apps/<your_app>/bin_

Answer : A, C, D

'Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system:

$SPLUNK_HOME/etc/system/bin

$SPLUNK_HOME/etc/apps/<your_App>/bin

$SPLUNK_HOME/bin/scripts

As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system.'

Question 388

Which of the following is a benefit of distributed search?

APeers run search in sequence.

BPeers run search in parallel.

CResilience from indexer failure.

DResilience from search head failure.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch

Question 389

In inputs. conf, which stanza would mean Splunk was only reading one local file?

A[read://opt/log/crashlog/Jan27crash.txt]

B[monitor::/ opt/log/crashlog/Jan27crash.txt]

C[monitor:/// opt/log/]

D[monitor:/// opt/log/ crashlog/Jan27crash.txt]

Answer : B

Question 390

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 391

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

ALDAP

BSAML

CRADIUS

DDuo Multifactor Authentication

Answer : A, B, C

Question 392

How often does Splunk recheck the LDAP server?

AEvery 5 minutes

BEach time a user logs in

CEach time Splunk is restarted

DVaries based on LDAP_refresh setting.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP

Question 393

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 394

The universal forwarder has which capabilities when sending data? (select all that apply)

ASending alerts

BCompressing data

CObfuscating/hiding data

DIndexer acknowledgement

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%20data.

Question 395

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

AMap Users

BMap Groups

CMap LDAP Inheritance

DMap LDAP to Active Directory

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb

Question 396

Which setting allows the configuration of Splunk to allow events to span over more than one line?

ASHOULD_LINEMERGE = true

BBREAK_ONLY_BEFORE_DATE = true

CBREAK_ONLY_BEFORE = <REGEX pattern>

DSHOULD_LINEMERGE = false

Answer : A

Question 397

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 398

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 399

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Aprops.conf

Bsourcetypes.conf

Ctransforms.conf

Doutputs.conf

Answer : A

Question 400

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

AUniversal forwarder

BParsing forwarder

CHeavy forwarder

DAdvanced forwarder

Answer : C

Question 401

How often does Splunk recheck the LDAP server?

AEvery 5 minutes

BEach time a user logs in

CEach time Splunk is restarted

DVaries based on LDAP_refresh setting.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP

Question 402

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 403

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 404

How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON

Aoption A

BOption B

COption C

DOption D

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups

Question 405

When would the following command be used?

ATo verify' the integrity of a local index.

BTo verify the integrity of a SmartStore index.

CTo verify the integrity of a SmartStore bucket.

DTo verify the integrity of a local bucket.

Answer : D

Question 406

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

Question 407

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

ALDAP

BSAML

CRADIUS

DDuo Multifactor Authentication

Answer : A, B, C

Question 408

Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

AIt requires a separate channel provided by the client.

BIt is configured the same as indexer acknowledgement used to protect in-flight data.

CIt can be enabled at the global setting level.

DIt stores status information on the Splunk server.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/AboutHECIDXAck

- Section: About channels and sending data

Question 409

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 410

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

A21MB

B28MB

C14MB

D7MB

Answer : A

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata#:~:text=The%20default%20for%20the%20maxQueueSize,wait%20queue%20size%20is%2021MB.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata

Question 411

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

AThe blacklist takes precedence over the whitelist.

BThe whitelist takes precedence over the blacklist.

CWildcards are not supported in any client filters.

DMachine type filters are applied before the whitelist and blacklist.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

same/td-p/390910

Question 412

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

ADisk

BCPUs

CMemory

DNetwork interface cards

Answer : B

https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCarchitecture

Question 413

Which of the following types of data count against the license daily quota?

AReplicated data

Bsplunkd logs

CSummary index data

DWindows internal logs

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Distdeploylicenses#Clustered_deployments_and_licensing_issues

Question 414

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin reading local files on its server.

CBegin generating internal Splunk logs.

DSend an email to the operator that the installation process has completed.

Answer : C

Question 415

Which of the following are supported options when configuring optional network inputs?

AMetadata override, sender filtering options, network input queues (quantum queues)

BMetadata override, sender filtering options, network input queues (memory/persistent queues)

CFilename override, sender filtering options, network output queues (memory/persistent queues)

DMetadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question 416

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 417

What are the minimum required settings when creating a network input in Splunk?

AProtocol, port number

BProtocol, port, location

CProtocol, username, port

DProtocol, IP. port number

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf

[tcp://<remote server>:]

*Configures the input to listen on a specific TCP network port.

*If a <remote server> makes a connection to this instance, the input uses this stanza to configure itself.

*If you do not specify <remote server>, this stanza matches all connections on the specified port.

*Generates events with source set to 'tcp:', for example: tcp:514

*If you do not specify a sourcetype, generates events with sourcetype set to 'tcp-raw'

Question 418

What happens when there are conflicting settings within two or more configuration files?

AThe setting is ignored until conflict is resolved.

BThe setting for both values will be used together.

CThe setting with the lowest precedence is used.

DThe setting with the highest precedence is used.

Answer : D

Question 419

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

AchannelTTL

BconnectionTimeout

CautoLBFrequency

DsecsInFailurelnterval

Answer : C

Question 420

In which phase do indexed extractions in props.conf occur?

AInputs phase

BParsing phase

CIndexing phase

DSearching phase

Answer : B

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

Configurationparametersandthedatapipeline

Question 421

Where should apps be located on the deployment server that the clients pull from?

A$SFLUNK_KOME/etc/apps

B$SPLUNK_HCME/etc/sear:ch

C$SPLUNK_HCME/etc/master-apps

D$SPLUNK HCME/etc/deployment-apps

Answer : D

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

Question 422

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

AApp Class

BClient Class

CServer Class

DForwarder Class

Answer : C

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 423

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

Ahost=server1
index=unixinfo

Bhost=server1
index=searchinfo

Chost=searchsvr1
index=searchinfo

Dhost=unixsvr1
index=unixinfo

Answer : A

Question 424

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 425

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 426

Which of the following applies only to Splunk index data integrity check?

ALookup table

BSummary Index

CRaw data in the index

DData model acceleration

Answer : C

Question 427

What is the default value of LINE_BREAKER?

A\r\n

B([\r\n]+)

C\r+\n+

D(\r\n+)

Answer : B

Question 428

How is data handled by Splunk during the input phase of the data ingestion process?

AData is treated as streams.

BData is broken up into events.

CData is initially written to disk.

DData is measured by the license meter.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

'In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys.'

Question 429

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

A21MB

B28MB

C14MB

D7MB

Answer : A

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata#:~:text=The%20default%20for%20the%20maxQueueSize,wait%20queue%20size%20is%2021MB.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata

Question 430

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

Question 431

How do you remove missing forwarders from the Monitoring Console?

ABy restarting Splunk.

BBy rescanning active forwarders.

CBy reloading the deployment server.

DBy rebuilding the forwarder asset table.

Answer : D

Question 432

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

AIndex once.

BMonitor interval.

COn-demand monitor.

DContinuously monitor.

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

Question 433

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 434

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

AEnable indexer acknowledgment.

BEnable forwarder acknowledgment.

Csplunk check-integrity -index <index name>

Dindex=_internal component=ACK | stats count by host

Answer : A

Per the provided Splunk reference URL

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Question 435

Event processing occurs at which phase of the data pipeline?

ASearch

BIndexing

CParsing

DInput

Answer : C

Question 436

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 437

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

AUniversal forwarder

BParsing forwarder

CHeavy forwarder

DAdvanced forwarder

Answer : C

Question 438

Which of the following apply to how distributed search works? (select all that apply)

AThe search head dispatches searches to the peers

BThe search peers pull the data from the forwarders.

CPeers run searches in parallel and return their portion of results.

DThe search head consolidates the individual results and prepares reports

Answer : A, C, D

Users log on to the search head and run reports: -- The search head dispatches searches to the peers -- Peers run searches in parallel and return their portion of results -- The search head consolidates the individual results and prepares reports

Question 439

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

Question 440

Which of the following monitor inputs stanza headers would match all of the following files?

/var/log/www1/secure.log

/var/log/www/secure.l

/var/log/www/logs/secure.logs

/var/log/www2/secure.log

A[monitor:///var/log/.../secure.*

B[monitor:///var/log/www1/secure.*]

C[monitor:///var/log/www1/secure.log]

D[monitor:///var/log/www*/secure.*]

Answer : C

Question 441

Which artifact is required in the request header when creating an HTTP event?

AackID

BToken

CManifest

DHost name

Answer : B

When creating an HTTP event, the request header must include a token that identifies the HTTP Event Collector (HEC) endpoint. The token is a 32-character hexadecimal string that is generated when the HEC endpoint is created. The token is used to authenticate the request and route the event data to the correct index. Therefore, option B is the correct answer. References:Splunk Enterprise Certified Admin | Splunk, [About HTTP Event Collector - Splunk Documentation]

Question 442

Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

AIt requires a separate channel provided by the client.

BIt is configured the same as indexer acknowledgement used to protect in-flight data.

CIt can be enabled at the global setting level.

DIt stores status information on the Splunk server.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/AboutHECIDXAck

- Section: About channels and sending data

Question 443

Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of

users?

ALinked roles

BGrantable roles

CRole federation

DRole inheritance

Answer : D

You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

Question 444

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 445

Which of the following are reasons to create separate indexes? (Choose all that apply.)

ADifferent retention times.

BIncrease number of users.

CRestrict user permissions.

DFile organization.

Answer : A, C

Question 446

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

AA token-based HTTP input that is secure and scalable and that requires the use of forwarders

BA token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

CAn agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

DA token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector

Question 447

Which of the following statements describe deployment management? (select all that apply)

ARequires an Enterprise license

BIs responsible for sending apps to forwarders.

COnce used, is the only way to manage forwarders

DCan automatically restart the host OS running the forwarder.

Answer : A, B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%20requirements,do%20not%20index%20external%20data.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 448

Consider the following stanza in inputs.conf:

What will the value of the source filed be for events generated by this scripts input?

A/opt/splunk/ecc/apps/search/bin/liscer.sh

Bunknown

Cliscer

Dliscer.sh

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Inputsconf

-Scroll down to source = <string>

*Default: the input file path

Question 449

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 450

Which of the following is a benefit of distributed search?

APeers run search in sequence.

BPeers run search in parallel.

CResilience from indexer failure.

DResilience from search head failure.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch

Question 451

What is the default value of LINE_BREAKER?

A\r\n

B([\r\n]+)

C\r+\n+

D(\r\n+)

Answer : B

Question 452

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

ADefault app

BLDAP group

CPassword

DUsername

Answer : A

When Splunk is integrated with LDAP, most of the user attributes are managed by the LDAP server and cannot be changed in the Splunk UI. However, one exception is the default app attribute, which specifies which app a user sees when they log in to Splunk. This attribute can be changed in the Splunk UI by editing the user settings. Therefore, option A is the correct answer. References:Splunk Enterprise Certified Admin | Splunk, [Configure Splunk to use LDAP and map groups - Splunk Documentation]

Question 453

Which of the following are required when defining an index in indexes. conf? (select all that apply)

AcoldPath

BhomePath

CfrozenPath

DthawedPath

Answer : A, B, D

homePath = $SPLUNK_DB/hatchdb/db

coldPath = $SPLUNK_DB/hatchdb/colddb

thawedPath = $SPLUNK_DB/hatchdb/thaweddb

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

Question 454

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 455

A new forwarder has been installed with a manually created deploymentclient.conf.

What is the next step to enable the communication between the forwarder and the deployment server?

ARestart Splunk on the deployment server.

BEnable the deployment client in Splunk Web under Forwarder Management.

CRestart Splunk on the deployment client.

DWait for up to the time set in the phoneHomeIntervalInSecs setting.

Answer : C

Question 456

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

AIf Splunk is restarted, data will be queued and then sent when Splunk has restarted.

BLocal firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

CThe host value associated with data received will be the IP address that sent the data.

DIf Splunk is restarted, data may be lost.

Answer : D

Question 457

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Aadmin

Bpower

Cuser

Dsplunk-system-role

Answer : B

Question 458

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 459

Which layers are involved in Splunk configuration file layering? (select all that apply)

AApp context

BUser context

CGlobal context

DForwarder context

Answer : A, B, C

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Question 460

How is a remote monitor input distributed to forwarders?

AAs an app.

BAs a forward.conf file.

CAs a monitor.conf file.

DAs a forwarder monitor profile.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents

Question 461

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

ABlacklist

BWhitelist

CThey cancel each other out.

DWhichever is entered into the configuration first.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdata

Question 462

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

ACLI

BEdit inputs . conf

CEdit forwarder.conf

DForwarder Management

Answer : A, B, D

https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/HowtoforwarddatatoSplunkEnterprise

Question 463

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 464

Which of the following methods will connect a deployment client to a deployment server? (select all that apply)

ARun $SPLUNK_ROME/bin/ splunk set deploy-poll : from the command line of the deployment client.

BCreate and edit a deploymentserver . conf file in SSPLVNE{ on the deployment server.

CCreate and edit a deploymentclient . conf file in SSPLTJNE( EOME/etc/ system/local on the deployment client.

DRun $SPLUNK ROME/bin/spiunk set deploy-poi i : from the command line of the deployment server.

Answer : A, C

Question 465

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 466

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 467

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 468

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 469

During search time, which directory of configuration files has the highest precedence?

A$SFLUNK_KOME/etc/system/local

B$SPLUNK_KCME/etc/system/default

C$SPLUNK_HCME/etc/apps/app1/local

D$SPLUNK HCME/etc/users/admin/local

Answer : D

Adding further clarity and quoting same Splunk reference URL from @giubal'

1.Slave-app local directories -- highest priority

2. System local directory

3. App local directories

4. Slave-app default directories

5. App default directories

6. System default directory --lowest priority

Question 470

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 471

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

Question 472

User role inheritance allows what to be inherited from the parent role? (select all that apply)

AParents

BCapabilities

CIndex access

DSearch history

Answer : B, C

https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

Question 473

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations

found in props.conf to be validated all through the UI?

AApps

BSearch

CData preview

DForwarder inputs

Answer : C

http://www.splunk.com/view/SP-CAAAGPR

Question 474

Which of the following is a benefit of distributed search?

APeers run search in sequence.

BPeers run search in parallel.

CResilience from indexer failure.

DResilience from search head failure.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch

Question 475

Which file will be matched for the following monitor stanza in inputs. conf?

[monitor: ///var/log/*/bar/*. txt]

A/var/log/host_460352847/temp/bar/file/csv/foo.txt

B/var/log/host_460352847/bar/foo.txt

C/var/log/host_460352847/bar/file/foo.txt

D/var/ log/ host_460352847/temp/bar/file/foo.txt

Answer : C

The correct answer is C. /var/log/host_460352847/bar/file/foo.txt.

The monitor stanza in inputs.conf is used to configure Splunk to monitor files and directories for new data. The monitor stanza has the following syntax1:

[monitor://<input path>]

Therefore, the file /var/log/host_460352847/bar/file/foo.txt will be matched by the monitor stanza, as it meets the criteria. The other files will not be matched, because:

A . /var/log/host_460352847/temp/bar/file/csv/foo.txt has a .csv extension, not a .txt extension.

B . /var/log/host_460352847/bar/foo.txt is not located in a subdirectory under the bar directory, but directly in the bar directory.

D . /var/log/host_460352847/temp/bar/file/foo.txt is located in a subdirectory named file under the bar directory, not directly in the bar directory.

Question 476

A new forwarder has been installed with a manually created deploymentclient.conf.

What is the next step to enable the communication between the forwarder and the deployment server?

ARestart Splunk on the deployment server.

BEnable the deployment client in Splunk Web under Forwarder Management.

CRestart Splunk on the deployment client.

DWait for up to the time set in the phoneHomeIntervalInSecs setting.

Answer : C

Question 477

When running a real-time search, search results are pulled from which Splunk component?

AHeavy forwarders and search peers

BHeavy forwarders

CSearch heads

DSearch peers

Answer : D

Using the Splunk reference URL https://docs.splunk.com/Splexicon:Searchpeer

Question 478

Which of the following is accurate regarding the input phase?

ABreaks data into events with timestamps.

BApplies event-level transformations.

CFine-tunes metadata.

DPerforms character encoding.

Answer : D

Question 479

When enabling data integrity control, where does Splunk Enterprise store the hash files for each bucket?

ASplunk Enterprise stores hash files in the logdata directory of the corresponding bucket.

BSplunk Enterprise stores hash files in the rawdata directory of the corresponding bucket.

CSplunk Enterprise stores hash files in the hashdata directory of the corresponding bucket.

DSplunk Enterprise stores hash files in the metadata directory of the corresponding bucket.

Answer : B

Data integrity controls in Splunk ensure that indexed data has not been tampered with.

When enabled, Splunk calculates hashes for each bucket and stores these hash files in the rawdata directory of the corresponding bucket.

Incorrect Options:

A, C, D: These directories do not store hash files.

References:

Splunk Docs: Configure data integrity controls

Question 480

Which Splunk component requires a Forwarder license?

ASearch head

BHeavy forwarder

CHeaviest forwarder

DUniversal forwarder

Answer : B

Question 481

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 482

Which of the following is valid distribute search group?

Aoption A

BOption B

COption C

DOption D

Answer : D

Question 483

Which of the following statements describes how distributed search works?

AForwarders pull data from the search peers.

BSearch heads store a portion of the searchable data.

CThe search head dispatches searches to the search peers.

DSearch results are replicated within the indexer cluster.

Answer : C

URL https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Configuredistributedsearch

'To activate distributed search, you add search peers, or indexers, to a Splunk Enterprise instance that you desingate as a search head. You do this by specifying each search peer manually.'

Question 484

Which Splunk configuration file is used to enable data integrity checking?

Aprops.conf

Bglobal.conf

Cindexes.conf

Ddata_integrity.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Security/Dataintegritycontrol#:~:text=When%20you%20enable%20data%20integrity%20control%2C%20Splunk%20Enterprise%20computes%20hashes,it%20to%20a%20l1Hashes%20file.

Question 485

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

Ahost

Bindex

Clinecount

Dsplunk_server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server

Question 486

During search time, which directory of configuration files has the highest precedence?

A$SFLUNK_KOME/etc/system/local

B$SPLUNK_KCME/etc/system/default

C$SPLUNK_HCME/etc/apps/app1/local

D$SPLUNK HCME/etc/users/admin/local

Answer : D

Adding further clarity and quoting same Splunk reference URL from @giubal'

1.Slave-app local directories -- highest priority

2. System local directory

3. App local directories

4. Slave-app default directories

5. App default directories

6. System default directory --lowest priority

Question 487

Event processing occurs at which phase of the data pipeline?

ASearch

BIndexing

CParsing

DInput

Answer : C

Question 488

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 489

How do you remove missing forwarders from the Monitoring Console?

ABy restarting Splunk.

BBy rescanning active forwarders.

CBy reloading the deployment server.

DBy rebuilding the forwarder asset table.

Answer : D

Question 490

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 491

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 492

Which Splunk component requires a Forwarder license?

ASearch head

BHeavy forwarder

CHeaviest forwarder

DUniversal forwarder

Answer : B

Question 493

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 494

The universal forwarder has which capabilities when sending data? (select all that apply)

ASending alerts

BCompressing data

CObfuscating/hiding data

DIndexer acknowledgement

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%20data.

Question 495

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A_license

B_lnternal

C_external

D_thefishbucket

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 496

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

Question 497

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 498

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

AEnable indexer acknowledgment.

BEnable forwarder acknowledgment.

Csplunk check-integrity -index <index name>

Dindex=_internal component=ACK | stats count by host

Answer : A

Per the provided Splunk reference URL

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Question 499

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Aadmin

Bpower

Cuser

Dsplunk-system-role

Answer : B

Question 500

Which layers are involved in Splunk configuration file layering? (select all that apply)

AApp context

BUser context

CGlobal context

DForwarder context

Answer : A, B, C

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Question 501

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

AREGEX, DEST. FORMAT

BREGEX. SRC_KEY, FORMAT

CREGEX, DEST_KEY, FORMAT

DREGEX, DEST_KEY FORMATTING

Answer : C

REGEX = <regular expression>

* Enter a regular expression to operate on your data.

FORMAT = <string>

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = <key>

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

Question 502

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

Question 503

Which of the following apply to how distributed search works? (select all that apply)

AThe search head dispatches searches to the peers

BThe search peers pull the data from the forwarders.

CPeers run searches in parallel and return their portion of results.

DThe search head consolidates the individual results and prepares reports

Answer : A, C, D

Question 504

Which of the following methods will connect a deployment client to a deployment server? (select all that apply)

ARun $SPLUNK_ROME/bin/ splunk set deploy-poll : from the command line of the deployment client.

BCreate and edit a deploymentserver . conf file in SSPLVNE{ on the deployment server.

CCreate and edit a deploymentclient . conf file in SSPLTJNE( EOME/etc/ system/local on the deployment client.

DRun $SPLUNK ROME/bin/spiunk set deploy-poi i : from the command line of the deployment server.

Answer : A, C

Question 505

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

AMAX_TIMESTAMP_L0CKAHEAD = 5

BMAX_TIMESTAMP_LOOKAHEAD - 10

CMAX_TIMESTAMF_LOOKHEAD = 20

DMAX TIMESTAMP LOOKAHEAD - 30

Answer : D

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Question 506

Within props. conf, which stanzas are valid for data modification? (select all that apply)

AHost

BServer

CSource

DSourcetype

Answer : A, C, D

https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf

'* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts.' https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

Question 507

Running this search in a distributed environment:

On what Splunk component does the eval command get executed?

AHeavy Forwarders

BUniversal Forwarders

CSearch peers

DSearch heads

Answer : C

Question 508

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 509

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

AdiskQueueSize

BdurableQueueSize

CpersistentOueueSize

DqueueSize

Answer : C

Question 510

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 511

Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

AIt requires a separate channel provided by the client.

BIt is configured the same as indexer acknowledgement used to protect in-flight data.

CIt can be enabled at the global setting level.

DIt stores status information on the Splunk server.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/AboutHECIDXAck

- Section: About channels and sending data

Question 512

Which of the following applies only to Splunk index data integrity check?

ALookup table

BSummary Index

CRaw data in the index

DData model acceleration

Answer : C

Question 513

Which forwarder type can parse data prior to forwarding?

AUniversal forwarder

BHeaviest forwarder

CHyper forwarder

DHeavy forwarder

Answer : D

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Typesofforwarders

'A heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event.'

Question 514

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 515

How is data handled by Splunk during the input phase of the data ingestion process?

AData is treated as streams.

BData is broken up into events.

CData is initially written to disk.

DData is measured by the license meter.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

'In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys.'

Question 516

ensure that the masking takes place successfully?

AMake sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

BFor source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

CMake sure that props . conf and transforms . conf are both present on the Universal Forwarder.

DPlace both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Answer : D

The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

References: 1: Redact data from events - Splunk Documentation 2: Where do I configure my Splunk settings? - Splunk Documentation

Question 517

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

AApp Class

BClient Class

CServer Class

DForwarder Class

Answer : C

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 518

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

ADuo Administrator

BLDAP Administrator

CSAML Administrator

DTrio Administrator

Answer : A

Question 519

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin generating internal Splunk logs.

CBegin reading local files on its server.

DSend an email to the operator that the installation process has completed.

Answer : B

Question 520

When running a real-time search, search results are pulled from which Splunk component?

AHeavy forwarders and search peers

BHeavy forwarders

CSearch heads

DSearch peers

Answer : D

Using the Splunk reference URL https://docs.splunk.com/Splexicon:Searchpeer

Question 521

The universal forwarder has which capabilities when sending data? (select all that apply)

ASending alerts

BCompressing data

CObfuscating/hiding data

DIndexer acknowledgement

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%20data.

Question 522

What happens when there are conflicting settings within two or more configuration files?

AThe setting is ignored until conflict is resolved.

BThe setting for both values will be used together.

CThe setting with the lowest precedence is used.

DThe setting with the highest precedence is used.

Answer : D

Question 523

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 524

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 525

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 526

Which is a valid stanza for a network input?

A[udp://172.16.10.1:9997]
connection = dns
sourcetype = dns

B[any://172.16.10.1:10001]
connection_host = ip
sourcetype = web

C[tcp://172.16.10.1:9997]
connection_host = web
sourcetype = web

D[tcp://172.16.10.1:10001]
connection_host = dns
sourcetype = dns

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports

Bypassautomaticsourcetypeassignment

Question 527

A new forwarder has been installed with a manually created deploymentclient.conf.

What is the next step to enable the communication between the forwarder and the deployment server?

ARestart Splunk on the deployment server.

BEnable the deployment client in Splunk Web under Forwarder Management.

CRestart Splunk on the deployment client.

DWait for up to the time set in the phoneHomeIntervalInSecs setting.

Answer : C

Question 528

There is a file with a vast amount of old dat

a. Which of the following inputs.conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?

AIgnoreOlderThan

BallowList

Cmonitor

DfollowTail

Answer : D

IgnoreOlderThan: This setting filters files for indexing based on their age. It does not prevent indexing of old data already in the file.

allowList: This setting allows specifying patterns to include files for monitoring, but it does not control indexing of pre-existing data.

monitor: This is the default method for monitoring files but does not address indexing pre-existing data.

followTail: This attribute, when set in inputs.conf, ensures that Splunk starts reading a file from the end (tail) and does not index existing old data. It is ideal for scenarios with large files where only new updates are relevant.

References:

Splunk Docs: Monitor text files

Splunk Docs: Configure followTail in inputs.conf

Question 529

During search time, which directory of configuration files has the highest precedence?

A$SFLUNK_KOME/etc/system/local

B$SPLUNK_KCME/etc/system/default

C$SPLUNK_HCME/etc/apps/app1/local

D$SPLUNK HCME/etc/users/admin/local

Answer : D

Adding further clarity and quoting same Splunk reference URL from @giubal'

1.Slave-app local directories -- highest priority

2. System local directory

3. App local directories

4. Slave-app default directories

5. App default directories

6. System default directory --lowest priority

Question 530

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Question 531

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 532

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 533

Running this search in a distributed environment:

On what Splunk component does the eval command get executed?

AHeavy Forwarders

BUniversal Forwarders

CSearch peers

DSearch heads

Answer : C

Question 534

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 535

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin reading local files on its server.

CBegin generating internal Splunk logs.

DSend an email to the operator that the installation process has completed.

Answer : C

Question 536

Which artifact is required in the request header when creating an HTTP event?

AackID

BToken

CManifest

DHost name

Answer : B

Question 537

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

AA token-based HTTP input that is secure and scalable and that requires the use of forwarders

BA token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

CAn agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

DA token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector

Question 538

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

AIndex once.

BMonitor interval.

COn-demand monitor.

DContinuously monitor.

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

Question 539

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

ADisk

BCPUs

CMemory

DNetwork interface cards

Answer : B

https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCarchitecture

Question 540

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 541

What is the correct example to redact a plain-text password from raw events?

Ain props.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Bin props.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Cin transforms.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Din transforms.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Answer : B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.

References: 1: Redact data from events - Splunk Documentation

Question 542

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 543

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 544

When using license pools, volume allocations apply to which Splunk components?

AIndexers

BIndexes

CHeavy Forwarders

DSearch Heads

Answer : A

Question 545

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 546

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 547

Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

AIt requires a separate channel provided by the client.

BIt is configured the same as indexer acknowledgement used to protect in-flight data.

CIt can be enabled at the global setting level.

DIt stores status information on the Splunk server.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/AboutHECIDXAck

- Section: About channels and sending data

Question 548

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

ABlacklist

BWhitelist

CThey cancel each other out.

DWhichever is entered into the configuration first.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdata

Question 549

In inputs. conf, which stanza would mean Splunk was only reading one local file?

A[read://opt/log/crashlog/Jan27crash.txt]

B[monitor::/ opt/log/crashlog/Jan27crash.txt]

C[monitor:/// opt/log/]

D[monitor:/// opt/log/ crashlog/Jan27crash.txt]

Answer : B

Question 550

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A_license

B_lnternal

C_external

D_thefishbucket

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 551

Consider the following stanza in inputs.conf:

What will the value of the source filed be for events generated by this scripts input?

A/opt/splunk/ecc/apps/search/bin/liscer.sh

Bunknown

Cliscer

Dliscer.sh

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Inputsconf

-Scroll down to source = <string>

*Default: the input file path

Question 552

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

Abucketdb

Bfrozendb

Ccolddb

Ddb

Answer : C, D

Question 553

Which of the following are required when defining an index in indexes. conf? (select all that apply)

AcoldPath

BhomePath

CfrozenPath

DthawedPath

Answer : A, B, D

homePath = $SPLUNK_DB/hatchdb/db

coldPath = $SPLUNK_DB/hatchdb/colddb

thawedPath = $SPLUNK_DB/hatchdb/thaweddb

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

Question 554

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 555

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 556

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

AUniversal forwarder

BParsing forwarder

CHeavy forwarder

DAdvanced forwarder

Answer : C

Question 557

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 558

Which of the following authentication types requires scripting in Splunk?

AADFS

BLDAP

CSAML

DRADIUS

Answer : D

https://answers.splunk.com/answers/131127/scripted-authentication.html

Question 559

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 560

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

Ahost

Bindex

Clinecount

Dsplunk_server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server

Question 561

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 562

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

AREGEX, DEST. FORMAT

BREGEX. SRC_KEY, FORMAT

CREGEX, DEST_KEY, FORMAT

DREGEX, DEST_KEY FORMATTING

Answer : C

REGEX = <regular expression>

* Enter a regular expression to operate on your data.

FORMAT = <string>

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = <key>

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

Question 563

Which setting allows the configuration of Splunk to allow events to span over more than one line?

ASHOULD_LINEMERGE = true

BBREAK_ONLY_BEFORE_DATE = true

CBREAK_ONLY_BEFORE = <REGEX pattern>

DSHOULD_LINEMERGE = false

Answer : A

Question 564

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

Ahost=server1
index=unixinfo

Bhost=server1
index=searchinfo

Chost=searchsvr1
index=searchinfo

Dhost=unixsvr1
index=unixinfo

Answer : A

Question 565

Which of the following is an acceptable channel value when using the HTTP Event Collector indexer acknowledgment capability?

AGUID

BDNS

CHash Checksum

DIP Address

Answer : A

The HTTP Event Collector (HEC) supports indexer acknowledgment to confirm event delivery. Each acknowledgment is associated with a unique GUID (Globally Unique Identifier).

GUID ensures events are not re-indexed in the case of retries.

Incorrect Options:

B, C, D: These are not valid channel values in HEC acknowledgments.

References:

Splunk Docs: Use indexer acknowledgment with HTTP Event Collector

Question 566

AThe receiving port is not properly setup to listen on the right port.

BThe inputs . conf'S _SYSZOG_ROVTING is not setup to use the right group names.

CThe DNS record used is not setup with a valid list of IP addresses.

DThe indexAndForward value is not set properly.

Answer : A, C

Question 567

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Aadmin

Bpower

Cuser

Dsplunk-system-role

Answer : B

Question 568

When would the following command be used?

ATo verify' the integrity of a local index.

BTo verify the integrity of a SmartStore index.

CTo verify the integrity of a SmartStore bucket.

DTo verify the integrity of a local bucket.

Answer : D

Question 569

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

AEnable indexer acknowledgment.

BEnable forwarder acknowledgment.

Csplunk check-integrity -index <index name>

Dindex=_internal component=ACK | stats count by host

Answer : A

Per the provided Splunk reference URL

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Question 570

Which layers are involved in Splunk configuration file layering? (select all that apply)

AApp context

BUser context

CGlobal context

DForwarder context

Answer : A, B, C

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Question 571

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 572

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 573

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 574

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 575

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 576

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 577

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 578

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

AUniversal forwarder

BParsing forwarder

CHeavy forwarder

DAdvanced forwarder

Answer : C

Question 579

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

ALDAP

BSAML

CRADIUS

DDuo Multifactor Authentication

Answer : A, B, C

Question 580

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 581

What is the correct example to redact a plain-text password from raw events?

Ain props.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Bin props.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Cin transforms.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Din transforms.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Answer : B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.

References: 1: Redact data from events - Splunk Documentation

Question 582

Which Splunk component requires a Forwarder license?

ASearch head

BHeavy forwarder

CHeaviest forwarder

DUniversal forwarder

Answer : B

Question 583

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 584

How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON

Aoption A

BOption B

COption C

DOption D

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups

Question 585

During search time, which directory of configuration files has the highest precedence?

A$SFLUNK_KOME/etc/system/local

B$SPLUNK_KCME/etc/system/default

C$SPLUNK_HCME/etc/apps/app1/local

D$SPLUNK HCME/etc/users/admin/local

Answer : D

Adding further clarity and quoting same Splunk reference URL from @giubal'

1.Slave-app local directories -- highest priority

2. System local directory

3. App local directories

4. Slave-app default directories

5. App default directories

6. System default directory --lowest priority

Question 586

Which of the following applies only to Splunk index data integrity check?

ALookup table

BSummary Index

CRaw data in the index

DData model acceleration

Answer : C

Question 587

How often does Splunk recheck the LDAP server?

AEvery 5 minutes

BEach time a user logs in

CEach time Splunk is restarted

DVaries based on LDAP_refresh setting.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP

Question 588

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations

found in props.conf to be validated all through the UI?

AApps

BSearch

CData preview

DForwarder inputs

Answer : C

http://www.splunk.com/view/SP-CAAAGPR

Question 589

The universal forwarder has which capabilities when sending data? (select all that apply)

ASending alerts

BCompressing data

CObfuscating/hiding data

DIndexer acknowledgement

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%20data.

Question 590

After how many warnings within a rolling 30-day period will a license violation occur with an enforced

Enterprise license?

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

Question 591

Which of the following statements describes how distributed search works?

AForwarders pull data from the search peers.

BSearch heads store a portion of the searchable data.

CThe search head dispatches searches to the search peers.

DSearch results are replicated within the indexer cluster.

Answer : C

URL https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Configuredistributedsearch

'To activate distributed search, you add search peers, or indexers, to a Splunk Enterprise instance that you desingate as a search head. You do this by specifying each search peer manually.'

Question 592

Which of the methods listed below supports muti-factor authentication?

ALightweight Directory Access Protocol (LDAP)

BSecurity Assertion Markup Language (SAML)

CSingle Sign-on (SSO)

DOpenlD

Answer : B

Question 593

Running this search in a distributed environment:

On what Splunk component does the eval command get executed?

AHeavy Forwarders

BUniversal Forwarders

CSearch peers

DSearch heads

Answer : C

Question 594

Local user accounts created in Splunk store passwords in which file?

A$ SFLUNK_HOME/etc/passwd

B$ SFLUNK_HOME/etc/authentication

C$ S?LUNK_HOME/etc/users/passwd.conf

D$ SPLUNK HOME/etc/users/authentication.conf

Answer : A

Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf

Question 595

How is a remote monitor input distributed to forwarders?

AAs an app.

BAs a forward.conf file.

CAs a monitor.conf file.

DAs a forwarder monitor profile.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents

Question 596

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 597

Which Splunk configuration file is used to enable data integrity checking?

Aprops.conf

Bglobal.conf

Cindexes.conf

Ddata_integrity.conf

Answer : C

Question 598

Which Splunk component requires a Forwarder license?

ASearch head

BHeavy forwarder

CHeaviest forwarder

DUniversal forwarder

Answer : B

Question 599

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin generating internal Splunk logs.

CBegin reading local files on its server.

DSend an email to the operator that the installation process has completed.

Answer : B

Question 600

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 601

Within props. conf, which stanzas are valid for data modification? (select all that apply)

AHost

BServer

CSource

DSourcetype

Answer : A, C, D

https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf

'* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts.' https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

Question 602

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 603

After how many warnings within a rolling 30-day period will a license violation occur with an enforced

Enterprise license?

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

Question 604

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

AchannelTTL

BconnectionTimeout

CautoLBFrequency

DsecsInFailurelnterval

Answer : C

Question 605

Where should apps be located on the deployment server that the clients pull from?

A$SFLUNK_KOME/etc/apps

B$SPLUNK_HCME/etc/sear:ch

C$SPLUNK_HCME/etc/master-apps

D$SPLUNK HCME/etc/deployment-apps

Answer : D

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

Question 606

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

Question 607

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

AAny OS platform

BLinux platform only

CWindows platform only.

DNone of the above.

Answer : A

'The forwarder/indexer relationship can be considered platform agnostic (within the sphere of supported platforms) because they exchange their data handshake (and the data, if you wish) over TCP.

Question 608

Which of the following apply to how distributed search works? (select all that apply)

AThe search head dispatches searches to the peers

BThe search peers pull the data from the forwarders.

CPeers run searches in parallel and return their portion of results.

DThe search head consolidates the individual results and prepares reports

Answer : A, C, D

Question 609

User role inheritance allows what to be inherited from the parent role? (select all that apply)

AParents

BCapabilities

CIndex access

DSearch history

Answer : B, C

https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

Question 610

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 611

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 612

Which Splunk component does a search head primarily communicate with?

AIndexer

BForwarder

CCluster master

DDeployment server

Answer : A

Question 613

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 614

Which of the following are reasons to create separate indexes? (Choose all that apply.)

ADifferent retention times.

BIncrease number of users.

CRestrict user permissions.

DFile organization.

Answer : A, C

Question 615

There is a file with a vast amount of old dat

a. Which of the following inputs.conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?

AIgnoreOlderThan

BallowList

Cmonitor

DfollowTail

Answer : D

IgnoreOlderThan: This setting filters files for indexing based on their age. It does not prevent indexing of old data already in the file.

allowList: This setting allows specifying patterns to include files for monitoring, but it does not control indexing of pre-existing data.

monitor: This is the default method for monitoring files but does not address indexing pre-existing data.

References:

Splunk Docs: Monitor text files

Splunk Docs: Configure followTail in inputs.conf

Question 616

What is the correct example to redact a plain-text password from raw events?

Ain props.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Bin props.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Cin transforms.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Din transforms.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Answer : B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.

References: 1: Redact data from events - Splunk Documentation

Question 617

Which of the following are required when defining an index in indexes. conf? (select all that apply)

AcoldPath

BhomePath

CfrozenPath

DthawedPath

Answer : A, B, D

homePath = $SPLUNK_DB/hatchdb/db

coldPath = $SPLUNK_DB/hatchdb/colddb

thawedPath = $SPLUNK_DB/hatchdb/thaweddb

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

Question 618

Which of the following authentication types requires scripting in Splunk?

AADFS

BLDAP

CSAML

DRADIUS

Answer : D

https://answers.splunk.com/answers/131127/scripted-authentication.html

Question 619

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

ABlacklist

BWhitelist

CThey cancel each other out.

DWhichever is entered into the configuration first.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdata

Question 620

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 621

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

Question 622

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

AEnable indexer acknowledgment.

BEnable forwarder acknowledgment.

Csplunk check-integrity -index <index name>

Dindex=_internal component=ACK | stats count by host

Answer : A

Per the provided Splunk reference URL

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Question 623

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin generating internal Splunk logs.

CBegin reading local files on its server.

DSend an email to the operator that the installation process has completed.

Answer : B

Question 624

What happens when there are conflicting settings within two or more configuration files?

AThe setting is ignored until conflict is resolved.

BThe setting for both values will be used together.

CThe setting with the lowest precedence is used.

DThe setting with the highest precedence is used.

Answer : D

Question 625

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 626

When indexing a data source, which fields are considered metadata?

Asource, host, time

Btime, sourcetype, source

Chost, raw, sourcetype

Dsourcetype, source, host

Answer : D

Question 627

Which of the following statements describe deployment management? (select all that apply)

ARequires an Enterprise license

BIs responsible for sending apps to forwarders.

COnce used, is the only way to manage forwarders

DCan automatically restart the host OS running the forwarder.

Answer : A, B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%20requirements,do%20not%20index%20external%20data.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 628

ensure that the masking takes place successfully?

AMake sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

BFor source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

CMake sure that props . conf and transforms . conf are both present on the Universal Forwarder.

DPlace both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Answer : D

The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

References: 1: Redact data from events - Splunk Documentation 2: Where do I configure my Splunk settings? - Splunk Documentation

Question 629

Event:

[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

ASEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g

BSEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g

CSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g

DSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata

Scrolling down to the section titled 'Define the sed script in props.conf shows the correct syntax of an example which validates that the number/character /1 immediately preceded the /g

Question 630

Which of the following enables compression for universal forwarders in outputs. conf ?

AOption A

BOption B

COption C

DOption D

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

# Compression

# This example sends compressed events to the remote indexer.

# NOTE: Compression can be enabled TCP or SSL outputs only.

# The receiver input port should also have compression enabled.

[tcpout]

server = splunkServer.example.com:4433

compressed = true

Question 631

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin reading local files on its server.

CBegin generating internal Splunk logs.

DSend an email to the operator that the installation process has completed.

Answer : C

Question 632

How is a remote monitor input distributed to forwarders?

AAs an app.

BAs a forward.conf file.

CAs a monitor.conf file.

DAs a forwarder monitor profile.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents

Question 633

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 634

How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON

Aoption A

BOption B

COption C

DOption D

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups

Question 635

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

AIndex once.

BMonitor interval.

COn-demand monitor.

DContinuously monitor.

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

Question 636

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 637

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 638

Which of the following types of data count against the license daily quota?

AReplicated data

Bsplunkd logs

CSummary index data

DWindows internal logs

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Distdeploylicenses#Clustered_deployments_and_licensing_issues

Question 639

Which of the following are reasons to create separate indexes? (Choose all that apply.)

ADifferent retention times.

BIncrease number of users.

CRestrict user permissions.

DFile organization.

Answer : A, C

Question 640

The CLI command splunk add forward-server indexer: will create stanza(s) in

which configuration file?

Ainputs.conf

Bindexes.conf

Coutputs.conf

Dservers.conf

Answer : C

https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configureforwardingwithoutputs.conf

Question 641

Which of the following is an acceptable channel value when using the HTTP Event Collector indexer acknowledgment capability?

AGUID

BDNS

CHash Checksum

DIP Address

Answer : A

The HTTP Event Collector (HEC) supports indexer acknowledgment to confirm event delivery. Each acknowledgment is associated with a unique GUID (Globally Unique Identifier).

GUID ensures events are not re-indexed in the case of retries.

Incorrect Options:

B, C, D: These are not valid channel values in HEC acknowledgments.

References:

Splunk Docs: Use indexer acknowledgment with HTTP Event Collector

Question 642

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

ADefault app

BLDAP group

CPassword

DUsername

Answer : A

Question 643

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 644

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 645

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 646

Which of the following methods will connect a deployment client to a deployment server? (select all that apply)

ARun $SPLUNK_ROME/bin/ splunk set deploy-poll : from the command line of the deployment client.

BCreate and edit a deploymentserver . conf file in SSPLVNE{ on the deployment server.

CCreate and edit a deploymentclient . conf file in SSPLTJNE( EOME/etc/ system/local on the deployment client.

DRun $SPLUNK ROME/bin/spiunk set deploy-poi i : from the command line of the deployment server.

Answer : A, C

Question 647

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

AEnable indexer acknowledgment.

BEnable forwarder acknowledgment.

Csplunk check-integrity -index <index name>

Dindex=_internal component=ACK | stats count by host

Answer : A

Per the provided Splunk reference URL

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Question 648

Which artifact is required in the request header when creating an HTTP event?

AackID

BToken

CManifest

DHost name

Answer : B

Question 649

How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON

Aoption A

BOption B

COption C

DOption D

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups

Question 650

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

AOn Universal Forwarder, $SPLUNK_HOME/etc/apps

BOn Deployment Server, $SPLUNK_HOME/etc/apps

COn Deployment Server, $SPLUNK_HOME/etc/deployment-apps

DOn Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Answer : C

The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps.

The other options are incorrect because:

Question 651

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

AIndex once.

BMonitor interval.

COn-demand monitor.

DContinuously monitor.

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

Question 652

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 653

User role inheritance allows what to be inherited from the parent role? (select all that apply)

AParents

BCapabilities

CIndex access

DSearch history

Answer : B, C

https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

Question 654

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

ALDAP

BSAML

CRADIUS

DDuo Multifactor Authentication

Answer : A, B, C

Question 655

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

AIf Splunk is restarted, data will be queued and then sent when Splunk has restarted.

BLocal firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

CThe host value associated with data received will be the IP address that sent the data.

DIf Splunk is restarted, data may be lost.

Answer : D

Question 656

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 657

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

Ahost

Bindex

Clinecount

Dsplunk_server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server

Question 658

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 659

Event processing occurs at which phase of the data pipeline?

ASearch

BIndexing

CParsing

DInput

Answer : C

Question 660

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Question 661

After how many warnings within a rolling 30-day period will a license violation occur with an enforced

Enterprise license?

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

Question 662

AThe receiving port is not properly setup to listen on the right port.

BThe inputs . conf'S _SYSZOG_ROVTING is not setup to use the right group names.

CThe DNS record used is not setup with a valid list of IP addresses.

DThe indexAndForward value is not set properly.

Answer : A, C

Question 663

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 664

ensure that the masking takes place successfully?

AMake sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

BFor source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

CMake sure that props . conf and transforms . conf are both present on the Universal Forwarder.

DPlace both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Answer : D

The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

References: 1: Redact data from events - Splunk Documentation 2: Where do I configure my Splunk settings? - Splunk Documentation

Question 665

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Aprops.conf

Bsourcetypes.conf

Ctransforms.conf

Doutputs.conf

Answer : A

Question 666

Which Splunk component does a search head primarily communicate with?

AIndexer

BForwarder

CCluster master

DDeployment server

Answer : A

Question 667

How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON

Aoption A

BOption B

COption C

DOption D

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups

Question 668

What happens when there are conflicting settings within two or more configuration files?

AThe setting is ignored until conflict is resolved.

BThe setting for both values will be used together.

CThe setting with the lowest precedence is used.

DThe setting with the highest precedence is used.

Answer : D

Question 669

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

Question 670

To set up a Network input in Splunk, what needs to be specified'?

AFile path.

BUsername and password

CNetwork protocol and port number.

DNetwork protocol and MAC address.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitornetworkports

Question 671

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

AMap Users

BMap Groups

CMap LDAP Inheritance

DMap LDAP to Active Directory

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb

Question 672

What is the correct curl to send multiple events through HTTP Event Collector?

AOption A

BOption B

COption C

DOption D

Answer : B

Question 673

Which of the following methods will connect a deployment client to a deployment server? (select all that apply)

ARun $SPLUNK_ROME/bin/ splunk set deploy-poll : from the command line of the deployment client.

BCreate and edit a deploymentserver . conf file in SSPLVNE{ on the deployment server.

CCreate and edit a deploymentclient . conf file in SSPLTJNE( EOME/etc/ system/local on the deployment client.

DRun $SPLUNK ROME/bin/spiunk set deploy-poi i : from the command line of the deployment server.

Answer : A, C

Question 674

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 675

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

AThe blacklist takes precedence over the whitelist.

BThe whitelist takes precedence over the blacklist.

CWildcards are not supported in any client filters.

DMachine type filters are applied before the whitelist and blacklist.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

same/td-p/390910

Question 676

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 677

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 678

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Aprops.conf

Bsourcetypes.conf

Ctransforms.conf

Doutputs.conf

Answer : A

Question 679

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 680

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 681

Which of the following authentication types requires scripting in Splunk?

AADFS

BLDAP

CSAML

DRADIUS

Answer : D

https://answers.splunk.com/answers/131127/scripted-authentication.html

Question 682

Which data pipeline phase is the last opportunity for defining event boundaries?

AInput phase

BIndexing phase

CParsing phase

DSearch phase

Answer : C

Reference https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatapipeline

Question 683

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

Ahost

Bindex

Clinecount

Dsplunk_server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server

Question 684

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Aindex=main

Bindex=test

Cindex=summary

Dindex=_internal

Answer : D

Question 685

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 686

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

ADisk

BCPUs

CMemory

DNetwork interface cards

Answer : B

https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCarchitecture

Question 687

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 688

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 689

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 690

In which phase do indexed extractions in props.conf occur?

AInputs phase

BParsing phase

CIndexing phase

DSearching phase

Answer : B

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

Configurationparametersandthedatapipeline

Question 691

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

AREGEX, DEST. FORMAT

BREGEX. SRC_KEY, FORMAT

CREGEX, DEST_KEY, FORMAT

DREGEX, DEST_KEY FORMATTING

Answer : C

REGEX = <regular expression>

* Enter a regular expression to operate on your data.

FORMAT = <string>

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = <key>

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

Question 692

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 693

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 694

Which of the following apply to how distributed search works? (select all that apply)

AThe search head dispatches searches to the peers

BThe search peers pull the data from the forwarders.

CPeers run searches in parallel and return their portion of results.

DThe search head consolidates the individual results and prepares reports

Answer : A, C, D

Question 695

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 696

Where should apps be located on the deployment server that the clients pull from?

A$SFLUNK_KOME/etc/apps

B$SPLUNK_HCME/etc/sear:ch

C$SPLUNK_HCME/etc/master-apps

D$SPLUNK HCME/etc/deployment-apps

Answer : D

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

Question 697

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

Ahost=server1
index=unixinfo

Bhost=server1
index=searchinfo

Chost=searchsvr1
index=searchinfo

Dhost=unixsvr1
index=unixinfo

Answer : A

Question 698

Which of the following enables compression for universal forwarders in outputs. conf ?

AOption A

BOption B

COption C

DOption D

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

# Compression

# This example sends compressed events to the remote indexer.

# NOTE: Compression can be enabled TCP or SSL outputs only.

# The receiver input port should also have compression enabled.

[tcpout]

server = splunkServer.example.com:4433

compressed = true

Question 699

Which of the following monitor inputs stanza headers would match all of the following files?

/var/log/www1/secure.log

/var/log/www/secure.l

/var/log/www/logs/secure.logs

/var/log/www2/secure.log

A[monitor:///var/log/.../secure.*

B[monitor:///var/log/www1/secure.*]

C[monitor:///var/log/www1/secure.log]

D[monitor:///var/log/www*/secure.*]

Answer : C

Question 700

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

AIndexer

BDeployer

CForwarder

DDeployment server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations

First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 701

How is data handled by Splunk during the input phase of the data ingestion process?

AData is treated as streams.

BData is broken up into events.

CData is initially written to disk.

DData is measured by the license meter.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

'In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys.'

Question 702

After how many warnings within a rolling 30-day period will a license violation occur with an enforced

Enterprise license?

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

Question 703

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 704

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 705

Which of the following is a valid distributed search group?

A[distributedSearch:Paris] default = false servers = server1, server2

B[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Answer : D

https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Distributedsearchgroups

Question 706

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

AIndexer

BForwarder

CSearch head

DDeployment server

Answer : A

https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html

Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-p/93310

Question 707

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

AREGEX, DEST. FORMAT

BREGEX. SRC_KEY, FORMAT

CREGEX, DEST_KEY, FORMAT

DREGEX, DEST_KEY FORMATTING

Answer : C

REGEX = <regular expression>

* Enter a regular expression to operate on your data.

FORMAT = <string>

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = <key>

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

Question 708

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 709

User role inheritance allows what to be inherited from the parent role? (select all that apply)

AParents

BCapabilities

CIndex access

DSearch history

Answer : B, C

https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

Question 710

To set up a Network input in Splunk, what needs to be specified'?

AFile path.

BUsername and password

CNetwork protocol and port number.

DNetwork protocol and MAC address.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitornetworkports

Question 711

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?

AUpdate the user in Splunk web informing them that the results of their search may be incomplete.

BRepeat the search request on indexer B without informing the user.

CUpdate the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.

DInform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

Answer : A

This is explained in the Splunk documentation1, which states:

If an indexer goes down during a search, the search head notifies you that the results might be incomplete. The search head does not attempt to re-run the search on another indexer.

Question 712

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

AAny OS platform

BLinux platform only

CWindows platform only.

DNone of the above.

Answer : A

'The forwarder/indexer relationship can be considered platform agnostic (within the sphere of supported platforms) because they exchange their data handshake (and the data, if you wish) over TCP.

Question 713

What is the correct example to redact a plain-text password from raw events?

Ain props.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Bin props.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Cin transforms.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Din transforms.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Answer : B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.

References: 1: Redact data from events - Splunk Documentation

Question 714

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 715

Which of the following are methods for adding inputs in Splunk? (select all that apply)

ACLI

BSplunk Web

CEditing inputs. conf

DEditing monitor. conf

Answer : A, B, C

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Configureyourinputs

Question 716

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 717

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

AIndexer

BDeployer

CForwarder

DDeployment server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations

First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 718

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

ADeployer

BCluster master

CDeployment server

DSearch head cluster master

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 719

Which of the following is valid distribute search group?

Aoption A

BOption B

COption C

DOption D

Answer : D

Question 720

The universal forwarder has which capabilities when sending data? (select all that apply)

ASending alerts

BCompressing data

CObfuscating/hiding data

DIndexer acknowledgement

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%20data.

Question 721

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 722

Which of the following applies only to Splunk index data integrity check?

ALookup table

BSummary Index

CRaw data in the index

DData model acceleration

Answer : C

Question 723

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 724

Which of the following is a valid distributed search group?

A[distributedSearch:Paris] default = false servers = server1, server2

B[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Answer : D

https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Distributedsearchgroups

Question 725

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 726

A new forwarder has been installed with a manually created deploymentclient.conf.

What is the next step to enable the communication between the forwarder and the deployment server?

ARestart Splunk on the deployment server.

BEnable the deployment client in Splunk Web under Forwarder Management.

CRestart Splunk on the deployment client.

DWait for up to the time set in the phoneHomeIntervalInSecs setting.

Answer : C

Question 727

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

AApp Class

BClient Class

CServer Class

DForwarder Class

Answer : C

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 728

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 729

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

AIndexer

BDeployer

CForwarder

DDeployment server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations

First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 730

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

Ahost

Bindex

Clinecount

Dsplunk_server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server

Question 731

Which of the following apply to how distributed search works? (select all that apply)

AThe search head dispatches searches to the peers

BThe search peers pull the data from the forwarders.

CPeers run searches in parallel and return their portion of results.

DThe search head consolidates the individual results and prepares reports

Answer : A, C, D

Question 732

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 733

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Aprops.conf

Bsourcetypes.conf

Ctransforms.conf

Doutputs.conf

Answer : A

Question 734

When are knowledge bundles distributed to search peers?

AAfter a user logs in.

BWhen Splunk is restarted.

CWhen adding a new search peer.

DWhen a distributed search is initiated.

Answer : D

'The search head replicates the knowledge bundle periodically in the background or when initiating a search. ' 'As part of the distributed search process, the search head replicates and distributes its knowledge objects to its search peers, or indexers. Knowledge objects include saved searches, event types, and other entities used in searching accorss indexes. The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf.'

Question 735

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

AfollowTail = -45d

Bignore = 45d

CincludeNewerThan = -35d

DignoreOlderThan = 45d

Answer : D

Question 736

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

Question 737

Which of the following are supported options when configuring optional network inputs?

AMetadata override, sender filtering options, network input queues (quantum queues)

BMetadata override, sender filtering options, network input queues (memory/persistent queues)

CFilename override, sender filtering options, network output queues (memory/persistent queues)

DMetadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question 738

There is a file with a vast amount of old dat

a. Which of the following inputs.conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?

AIgnoreOlderThan

BallowList

Cmonitor

DfollowTail

Answer : D

IgnoreOlderThan: This setting filters files for indexing based on their age. It does not prevent indexing of old data already in the file.

allowList: This setting allows specifying patterns to include files for monitoring, but it does not control indexing of pre-existing data.

monitor: This is the default method for monitoring files but does not address indexing pre-existing data.

References:

Splunk Docs: Monitor text files

Splunk Docs: Configure followTail in inputs.conf

Question 739

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

ADuo Administrator

BLDAP Administrator

CSAML Administrator

DTrio Administrator

Answer : A

Question 740

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 741

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 742

When running a real-time search, search results are pulled from which Splunk component?

AHeavy forwarders and search peers

BHeavy forwarders

CSearch heads

DSearch peers

Answer : D

Using the Splunk reference URL https://docs.splunk.com/Splexicon:Searchpeer

Question 743

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 744

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 745

Which of the methods listed below supports muti-factor authentication?

ALightweight Directory Access Protocol (LDAP)

BSecurity Assertion Markup Language (SAML)

CSingle Sign-on (SSO)

DOpenlD

Answer : B

Question 746

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 747

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Question 748

Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of

users?

ALinked roles

BGrantable roles

CRole federation

DRole inheritance

Answer : D

You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

Question 749

An admin updates the Role to Group mapping for external authentication. How does the change affect users that are currently logged into Splunk?

AUsers will continue to operate under their previous role until the next time they log into Splunk.

BSearch is disabled until users reauthenticate.

COnly newly created user accounts are affected by the role change.

DThe role update terminates the user's current session, and they have to log back in.

Answer : A

Splunk checks role-to-group mapping only during user login for external authentication (e.g., LDAP, SAML). Users already logged in will continue using their previously assigned roles until they log out and log back in.

The changes to role mapping do not disrupt ongoing sessions.

Incorrect Options:

B: Search is not disabled upon role updates.

C: This is incorrect since existing users are also updated upon the next login.

D: Role updates do not terminate ongoing sessions.

References:

Splunk Docs: Configure user authentication

Question 750

Which of the following is a benefit of distributed search?

APeers run search in sequence.

BPeers run search in parallel.

CResilience from indexer failure.

DResilience from search head failure.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch

Question 751

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

Question 752

In which phase do indexed extractions in props.conf occur?

AInputs phase

BParsing phase

CIndexing phase

DSearching phase

Answer : B

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

Configurationparametersandthedatapipeline

Question 753

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 754

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 755

During search time, which directory of configuration files has the highest precedence?

A$SFLUNK_KOME/etc/system/local

B$SPLUNK_KCME/etc/system/default

C$SPLUNK_HCME/etc/apps/app1/local

D$SPLUNK HCME/etc/users/admin/local

Answer : D

Adding further clarity and quoting same Splunk reference URL from @giubal'

1.Slave-app local directories -- highest priority

2. System local directory

3. App local directories

4. Slave-app default directories

5. App default directories

6. System default directory --lowest priority

Question 756

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

ADisk

BCPUs

CMemory

DNetwork interface cards

Answer : B

https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCarchitecture

Question 757

When would the following command be used?

ATo verify' the integrity of a local index.

BTo verify the integrity of a SmartStore index.

CTo verify the integrity of a SmartStore bucket.

DTo verify the integrity of a local bucket.

Answer : D

Question 758

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 759

Which Splunk component requires a Forwarder license?

ASearch head

BHeavy forwarder

CHeaviest forwarder

DUniversal forwarder

Answer : B

Question 760

Which of the following statements describe deployment management? (select all that apply)

ARequires an Enterprise license

BIs responsible for sending apps to forwarders.

COnce used, is the only way to manage forwarders

DCan automatically restart the host OS running the forwarder.

Answer : A, B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%20requirements,do%20not%20index%20external%20data.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 761

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

AIndexer

BDeployer

CForwarder

DDeployment server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations

First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 762

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 763

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

Abucketdb

Bfrozendb

Ccolddb

Ddb

Answer : C, D

Question 764

Which of the following methods will connect a deployment client to a deployment server? (select all that apply)

ARun $SPLUNK_ROME/bin/ splunk set deploy-poll : from the command line of the deployment client.

BCreate and edit a deploymentserver . conf file in SSPLVNE{ on the deployment server.

CCreate and edit a deploymentclient . conf file in SSPLTJNE( EOME/etc/ system/local on the deployment client.

DRun $SPLUNK ROME/bin/spiunk set deploy-poi i : from the command line of the deployment server.

Answer : A, C

Question 765

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 766

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 767

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

AEnable indexer acknowledgment.

BEnable forwarder acknowledgment.

Csplunk check-integrity -index <index name>

Dindex=_internal component=ACK | stats count by host

Answer : A

Per the provided Splunk reference URL

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Question 768

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin reading local files on its server.

CBegin generating internal Splunk logs.

DSend an email to the operator that the installation process has completed.

Answer : C

Question 769

Event:

[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

ASEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g

BSEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g

CSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g

DSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata

Scrolling down to the section titled 'Define the sed script in props.conf shows the correct syntax of an example which validates that the number/character /1 immediately preceded the /g

Question 770

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 771

Local user accounts created in Splunk store passwords in which file?

A$ SFLUNK_HOME/etc/passwd

B$ SFLUNK_HOME/etc/authentication

C$ S?LUNK_HOME/etc/users/passwd.conf

D$ SPLUNK HOME/etc/users/authentication.conf

Answer : A

Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf

Question 772

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

ATo ensure that hot buckets are still open for writes and have not been forced to roll to a cold state

BTo ensure that configuration files have not been tampered with for auditing and/or legal purposes

CTo ensure that user passwords have not been tampered with for auditing and/or legal purposes.

DTo ensure that data has not been tampered with for auditing and/or legal purposes

Answer : D

Question 773

Which is a valid stanza for a network input?

A[udp://172.16.10.1:9997]
connection = dns
sourcetype = dns

B[any://172.16.10.1:10001]
connection_host = ip
sourcetype = web

C[tcp://172.16.10.1:9997]
connection_host = web
sourcetype = web

D[tcp://172.16.10.1:10001]
connection_host = dns
sourcetype = dns

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports

Bypassautomaticsourcetypeassignment

Question 774

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

AREGEX, DEST. FORMAT

BREGEX. SRC_KEY, FORMAT

CREGEX, DEST_KEY, FORMAT

DREGEX, DEST_KEY FORMATTING

Answer : C

REGEX = <regular expression>

* Enter a regular expression to operate on your data.

FORMAT = <string>

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = <key>

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

Question 775

When would the following command be used?

ATo verify' the integrity of a local index.

BTo verify the integrity of a SmartStore index.

CTo verify the integrity of a SmartStore bucket.

DTo verify the integrity of a local bucket.

Answer : D

Question 776

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

Question 777

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 778

How do you remove missing forwarders from the Monitoring Console?

ABy restarting Splunk.

BBy rescanning active forwarders.

CBy reloading the deployment server.

DBy rebuilding the forwarder asset table.

Answer : D

Question 779

Which of the following statements describes how distributed search works?

AForwarders pull data from the search peers.

BSearch heads store a portion of the searchable data.

CThe search head dispatches searches to the search peers.

DSearch results are replicated within the indexer cluster.

Answer : C

URL https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Configuredistributedsearch

'To activate distributed search, you add search peers, or indexers, to a Splunk Enterprise instance that you desingate as a search head. You do this by specifying each search peer manually.'

Question 780

In which phase do indexed extractions in props.conf occur?

AInputs phase

BParsing phase

CIndexing phase

DSearching phase

Answer : B

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

Configurationparametersandthedatapipeline

Question 781

After how many warnings within a rolling 30-day period will a license violation occur with an enforced

Enterprise license?

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

Question 782

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 783

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin generating internal Splunk logs.

CBegin reading local files on its server.

DSend an email to the operator that the installation process has completed.

Answer : B

Question 784

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?

AUpdate the user in Splunk web informing them that the results of their search may be incomplete.

BRepeat the search request on indexer B without informing the user.

CUpdate the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.

DInform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

Answer : A

This is explained in the Splunk documentation1, which states:

If an indexer goes down during a search, the search head notifies you that the results might be incomplete. The search head does not attempt to re-run the search on another indexer.

Question 785

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 786

Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of

users?

ALinked roles

BGrantable roles

CRole federation

DRole inheritance

Answer : D

You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

Question 787

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

ACLI

BEdit inputs . conf

CEdit forwarder.conf

DForwarder Management

Answer : A, B, D

https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/HowtoforwarddatatoSplunkEnterprise

Question 788

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 789

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 790

Which of the following is a benefit of distributed search?

APeers run search in sequence.

BPeers run search in parallel.

CResilience from indexer failure.

DResilience from search head failure.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch

Question 791

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

A21MB

B28MB

C14MB

D7MB

Answer : A

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata#:~:text=The%20default%20for%20the%20maxQueueSize,wait%20queue%20size%20is%2021MB.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata

Question 792

Which of the following apply to how distributed search works? (select all that apply)

AThe search head dispatches searches to the peers

BThe search peers pull the data from the forwarders.

CPeers run searches in parallel and return their portion of results.

DThe search head consolidates the individual results and prepares reports

Answer : A, C, D

Question 793

When using license pools, volume allocations apply to which Splunk components?

AIndexers

BIndexes

CHeavy Forwarders

DSearch Heads

Answer : A

Question 794

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

AMAX_TIMESTAMP_L0CKAHEAD = 5

BMAX_TIMESTAMP_LOOKAHEAD - 10

CMAX_TIMESTAMF_LOOKHEAD = 20

DMAX TIMESTAMP LOOKAHEAD - 30

Answer : D

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Question 795

What is the default value of LINE_BREAKER?

A\r\n

B([\r\n]+)

C\r+\n+

D(\r\n+)

Answer : B

Question 796

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

A/var/log/messages

B/var/log/maillog

C/var/log/maillog and /var/log/messages

Dnone of the above

Answer : B

Question 797

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 798

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 799

Which additional component is required for a search head cluster?

ADeployer

BCluster Master

CMonitoring Console

DManagement Console

Answer : A

Question 800

What is the correct curl to send multiple events through HTTP Event Collector?

AOption A

BOption B

COption C

DOption D

Answer : B

Question 801

The CLI command splunk add forward-server indexer: will create stanza(s) in

which configuration file?

Ainputs.conf

Bindexes.conf

Coutputs.conf

Dservers.conf

Answer : C

https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configureforwardingwithoutputs.conf

Question 802

A new forwarder has been installed with a manually created deploymentclient.conf.

What is the next step to enable the communication between the forwarder and the deployment server?

ARestart Splunk on the deployment server.

BEnable the deployment client in Splunk Web under Forwarder Management.

CRestart Splunk on the deployment client.

DWait for up to the time set in the phoneHomeIntervalInSecs setting.

Answer : C

Question 803

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 804

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 805

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Aprops.conf

Bsourcetypes.conf

Ctransforms.conf

Doutputs.conf

Answer : A

Question 806

Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of

users?

ALinked roles

BGrantable roles

CRole federation

DRole inheritance

Answer : D

You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

Question 807

In which phase do indexed extractions in props.conf occur?

AInputs phase

BParsing phase

CIndexing phase

DSearching phase

Answer : B

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

Configurationparametersandthedatapipeline

Question 808

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 809

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 810

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

AIndexer

BForwarder

CSearch head

DDeployment server

Answer : A

https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html

Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-p/93310

Question 811

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 812

Which layers are involved in Splunk configuration file layering? (select all that apply)

AApp context

BUser context

CGlobal context

DForwarder context

Answer : A, B, C

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Question 813

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 814

Which of the following authentication types requires scripting in Splunk?

AADFS

BLDAP

CSAML

DRADIUS

Answer : D

https://answers.splunk.com/answers/131127/scripted-authentication.html

Question 815

Which of the following statements describes how distributed search works?

AForwarders pull data from the search peers.

BSearch heads store a portion of the searchable data.

CThe search head dispatches searches to the search peers.

DSearch results are replicated within the indexer cluster.

Answer : C

URL https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Configuredistributedsearch

'To activate distributed search, you add search peers, or indexers, to a Splunk Enterprise instance that you desingate as a search head. You do this by specifying each search peer manually.'

Question 816

Which of the following applies only to Splunk index data integrity check?

ALookup table

BSummary Index

CRaw data in the index

DData model acceleration

Answer : C

Question 817

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

AThe blacklist takes precedence over the whitelist.

BThe whitelist takes precedence over the blacklist.

CWildcards are not supported in any client filters.

DMachine type filters are applied before the whitelist and blacklist.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

same/td-p/390910

Question 818

Which Splunk component does a search head primarily communicate with?

AIndexer

BForwarder

CCluster master

DDeployment server

Answer : A

Question 819

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 820

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

AUniversal forwarder

BParsing forwarder

CHeavy forwarder

DAdvanced forwarder

Answer : C

Question 821

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 822

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

ADeployer

BCluster master

CDeployment server

DSearch head cluster master

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 823

Which of the following are supported options when configuring optional network inputs?

AMetadata override, sender filtering options, network input queues (quantum queues)

BMetadata override, sender filtering options, network input queues (memory/persistent queues)

CFilename override, sender filtering options, network output queues (memory/persistent queues)

DMetadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question 824

When using license pools, volume allocations apply to which Splunk components?

AIndexers

BIndexes

CHeavy Forwarders

DSearch Heads

Answer : A

Question 825

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

ADefault app

BLDAP group

CPassword

DUsername

Answer : A

Question 826

User role inheritance allows what to be inherited from the parent role? (select all that apply)

AParents

BCapabilities

CIndex access

DSearch history

Answer : B, C

https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

Question 827

Which additional component is required for a search head cluster?

ADeployer

BCluster Master

CMonitoring Console

DManagement Console

Answer : A

Question 828

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

A/var/log/messages

B/var/log/maillog

C/var/log/maillog and /var/log/messages

Dnone of the above

Answer : B

Question 829

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 830

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Question 831

Within props. conf, which stanzas are valid for data modification? (select all that apply)

AHost

BServer

CSource

DSourcetype

Answer : A, C, D

https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf

'* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts.' https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

Question 832

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin reading local files on its server.

CBegin generating internal Splunk logs.

DSend an email to the operator that the installation process has completed.

Answer : C

Question 833

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 834

User role inheritance allows what to be inherited from the parent role? (select all that apply)

AParents

BCapabilities

CIndex access

DSearch history

Answer : B, C

https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

Question 835

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Aadmin

Bpower

Cuser

Dsplunk-system-role

Answer : B

Question 836

The universal forwarder has which capabilities when sending data? (select all that apply)

ASending alerts

BCompressing data

CObfuscating/hiding data

DIndexer acknowledgement

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%20data.

Question 837

Which Splunk component does a search head primarily communicate with?

AIndexer

BForwarder

CCluster master

DDeployment server

Answer : A

Question 838

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A$SFLUNK_HOME/bin/scripts

B$SPLUNK_HOME/etc/apps/bin

C$SPLUNK_HOME/etc/system/bin

D$S?LUNK_HOME/etc/apps/<your_app>/bin_

Answer : A, C, D

'Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system:

$SPLUNK_HOME/etc/system/bin

$SPLUNK_HOME/etc/apps/<your_App>/bin

$SPLUNK_HOME/bin/scripts

As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system.'

Question 839

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

A21MB

B28MB

C14MB

D7MB

Answer : A

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata#:~:text=The%20default%20for%20the%20maxQueueSize,wait%20queue%20size%20is%2021MB.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata

Question 840

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 841

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 842

How do you remove missing forwarders from the Monitoring Console?

ABy restarting Splunk.

BBy rescanning active forwarders.

CBy reloading the deployment server.

DBy rebuilding the forwarder asset table.

Answer : D

Question 843

Event processing occurs at which phase of the data pipeline?

ASearch

BIndexing

CParsing

DInput

Answer : C

Question 844

Which of the methods listed below supports muti-factor authentication?

ALightweight Directory Access Protocol (LDAP)

BSecurity Assertion Markup Language (SAML)

CSingle Sign-on (SSO)

DOpenlD

Answer : B

Question 845

When indexing a data source, which fields are considered metadata?

Asource, host, time

Btime, sourcetype, source

Chost, raw, sourcetype

Dsourcetype, source, host

Answer : D

Question 846

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

Question 847

What happens when the same username exists in Splunk as well as through LDAP?

ASplunk user is automatically deleted from authentication.conf.

BLDAP settings take precedence.

CSplunk settings take precedence.

DLDAP user is automatically deleted from authentication.conf

Answer : C

Question 848

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 849

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin reading local files on its server.

CBegin generating internal Splunk logs.

DSend an email to the operator that the installation process has completed.

Answer : C

Question 850

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

AOn Universal Forwarder, $SPLUNK_HOME/etc/apps

BOn Deployment Server, $SPLUNK_HOME/etc/apps

COn Deployment Server, $SPLUNK_HOME/etc/deployment-apps

DOn Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Answer : C

The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps.

The other options are incorrect because:

Question 851

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 852

Where should apps be located on the deployment server that the clients pull from?

A$SFLUNK_KOME/etc/apps

B$SPLUNK_HCME/etc/sear:ch

C$SPLUNK_HCME/etc/master-apps

D$SPLUNK HCME/etc/deployment-apps

Answer : D

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

Question 853

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

AApp Class

BClient Class

CServer Class

DForwarder Class

Answer : C

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 854

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 855

Which data pipeline phase is the last opportunity for defining event boundaries?

AInput phase

BIndexing phase

CParsing phase

DSearch phase

Answer : C

Reference https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatapipeline

Question 856

To set up a Network input in Splunk, what needs to be specified'?

AFile path.

BUsername and password

CNetwork protocol and port number.

DNetwork protocol and MAC address.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitornetworkports

Question 857

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

Question 858

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 859

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 860

When using license pools, volume allocations apply to which Splunk components?

AIndexers

BIndexes

CHeavy Forwarders

DSearch Heads

Answer : A

Question 861

Which Splunk component does a search head primarily communicate with?

AIndexer

BForwarder

CCluster master

DDeployment server

Answer : A

Question 862

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?

AUpdate the user in Splunk web informing them that the results of their search may be incomplete.

BRepeat the search request on indexer B without informing the user.

CUpdate the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.

DInform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

Answer : A

This is explained in the Splunk documentation1, which states:

If an indexer goes down during a search, the search head notifies you that the results might be incomplete. The search head does not attempt to re-run the search on another indexer.

Question 863

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 864

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

AdiskQueueSize

BdurableQueueSize

CpersistentOueueSize

DqueueSize

Answer : C

Question 865

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

ADefault app

BLDAP group

CPassword

DUsername

Answer : A

Question 866

What is the correct curl to send multiple events through HTTP Event Collector?

AOption A

BOption B

COption C

DOption D

Answer : B

Question 867

What is the correct order of steps in Duo Multifactor Authentication?

A1 Request Login
2. Connect to SAML server
3 Duo MFA
4 Create User session
5 Authentication Granted 6. Log into Splunk

B1. Request Login 2 Duo MFA
3. Authentication Granted 4 Connect to SAML server
5. Log into Splunk
6. Create User session

C1 Request Login
2 Check authentication / group mapping
3 Authentication Granted
4. Duo MFA
5. Create User session
6. Log into Splunk

D1 Request Login 2 Duo MFA
3. Check authentication / group mapping
4 Create User session
5. Authentication Granted
6 Log into Splunk

Answer : C

Using the provided DUO/Splunk reference URL https://duo.com/docs/splunk

Scroll down to the Network Diagram section and note the following 6 similar steps

1 - SPlunk connection initiated

2 - Primary authentication

3 - Splunk connection established to Duo Security over TCP port 443

4 - Secondary authentication via Duo Security's service

5 - Splunk receives authentication response

6 - Splunk session logged in.

Question 868

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 869

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

AMAX_TIMESTAMP_L0CKAHEAD = 5

BMAX_TIMESTAMP_LOOKAHEAD - 10

CMAX_TIMESTAMF_LOOKHEAD = 20

DMAX TIMESTAMP LOOKAHEAD - 30

Answer : D

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Question 870

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A_license

B_lnternal

C_external

D_thefishbucket

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 871

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

AUniversal forwarder

BParsing forwarder

CHeavy forwarder

DAdvanced forwarder

Answer : C

Question 872

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 873

Which data pipeline phase is the last opportunity for defining event boundaries?

AInput phase

BIndexing phase

CParsing phase

DSearch phase

Answer : C

Reference https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatapipeline

Question 874

Local user accounts created in Splunk store passwords in which file?

A$ SFLUNK_HOME/etc/passwd

B$ SFLUNK_HOME/etc/authentication

C$ S?LUNK_HOME/etc/users/passwd.conf

D$ SPLUNK HOME/etc/users/authentication.conf

Answer : A

Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf

Question 875

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 876

Consider the following stanza in inputs.conf:

What will the value of the source filed be for events generated by this scripts input?

A/opt/splunk/ecc/apps/search/bin/liscer.sh

Bunknown

Cliscer

Dliscer.sh

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Inputsconf

-Scroll down to source = <string>

*Default: the input file path

Question 877

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

AIndexer

BDeployer

CForwarder

DDeployment server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations

First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 878

AThe receiving port is not properly setup to listen on the right port.

BThe inputs . conf'S _SYSZOG_ROVTING is not setup to use the right group names.

CThe DNS record used is not setup with a valid list of IP addresses.

DThe indexAndForward value is not set properly.

Answer : A, C

Question 879

How is data handled by Splunk during the input phase of the data ingestion process?

AData is treated as streams.

BData is broken up into events.

CData is initially written to disk.

DData is measured by the license meter.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

'In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys.'

Question 880

What is the correct order of steps in Duo Multifactor Authentication?

A1 Request Login
2. Connect to SAML server
3 Duo MFA
4 Create User session
5 Authentication Granted 6. Log into Splunk

B1. Request Login 2 Duo MFA
3. Authentication Granted 4 Connect to SAML server
5. Log into Splunk
6. Create User session

C1 Request Login
2 Check authentication / group mapping
3 Authentication Granted
4. Duo MFA
5. Create User session
6. Log into Splunk

D1 Request Login 2 Duo MFA
3. Check authentication / group mapping
4 Create User session
5. Authentication Granted
6 Log into Splunk

Answer : C

Using the provided DUO/Splunk reference URL https://duo.com/docs/splunk

Scroll down to the Network Diagram section and note the following 6 similar steps

1 - SPlunk connection initiated

2 - Primary authentication

3 - Splunk connection established to Duo Security over TCP port 443

4 - Secondary authentication via Duo Security's service

5 - Splunk receives authentication response

6 - Splunk session logged in.

Question 881

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 882

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Aadmin

Bpower

Cuser

Dsplunk-system-role

Answer : B

Question 883

Which of the following are supported options when configuring optional network inputs?

AMetadata override, sender filtering options, network input queues (quantum queues)

BMetadata override, sender filtering options, network input queues (memory/persistent queues)

CFilename override, sender filtering options, network output queues (memory/persistent queues)

DMetadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question 884

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

AApp Class

BClient Class

CServer Class

DForwarder Class

Answer : C

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 885

When indexing a data source, which fields are considered metadata?

Asource, host, time

Btime, sourcetype, source

Chost, raw, sourcetype

Dsourcetype, source, host

Answer : D

Question 886

How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON

Aoption A

BOption B

COption C

DOption D

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups

Question 887

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 888

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 889

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

ADisk

BCPUs

CMemory

DNetwork interface cards

Answer : B

https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCarchitecture

Question 890

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 891

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

AIndexer

BDeployer

CForwarder

DDeployment server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations

First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 892

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

AMap Users

BMap Groups

CMap LDAP Inheritance

DMap LDAP to Active Directory

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb

Question 893

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 894

Which of the following apply to how distributed search works? (select all that apply)

AThe search head dispatches searches to the peers

BThe search peers pull the data from the forwarders.

CPeers run searches in parallel and return their portion of results.

DThe search head consolidates the individual results and prepares reports

Answer : A, C, D

Question 895

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 896

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 897

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

AIndex once.

BMonitor interval.

COn-demand monitor.

DContinuously monitor.

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

Question 898

Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of

users?

ALinked roles

BGrantable roles

CRole federation

DRole inheritance

Answer : D

You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

Question 899

Which of the following are required when defining an index in indexes. conf? (select all that apply)

AcoldPath

BhomePath

CfrozenPath

DthawedPath

Answer : A, B, D

homePath = $SPLUNK_DB/hatchdb/db

coldPath = $SPLUNK_DB/hatchdb/colddb

thawedPath = $SPLUNK_DB/hatchdb/thaweddb

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

Question 900

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A$SFLUNK_HOME/bin/scripts

B$SPLUNK_HOME/etc/apps/bin

C$SPLUNK_HOME/etc/system/bin

D$S?LUNK_HOME/etc/apps/<your_app>/bin_

Answer : A, C, D

'Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system:

$SPLUNK_HOME/etc/system/bin

$SPLUNK_HOME/etc/apps/<your_App>/bin

$SPLUNK_HOME/bin/scripts

As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system.'

Question 901

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 902

How do you remove missing forwarders from the Monitoring Console?

ABy restarting Splunk.

BBy rescanning active forwarders.

CBy reloading the deployment server.

DBy rebuilding the forwarder asset table.

Answer : D

Question 903

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 904

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

Question 905

Which of the following enables compression for universal forwarders in outputs. conf ?

AOption A

BOption B

COption C

DOption D

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

# Compression

# This example sends compressed events to the remote indexer.

# NOTE: Compression can be enabled TCP or SSL outputs only.

# The receiver input port should also have compression enabled.

[tcpout]

server = splunkServer.example.com:4433

compressed = true

Question 906

Which of the following methods will connect a deployment client to a deployment server? (select all that apply)

ARun $SPLUNK_ROME/bin/ splunk set deploy-poll : from the command line of the deployment client.

BCreate and edit a deploymentserver . conf file in SSPLVNE{ on the deployment server.

CCreate and edit a deploymentclient . conf file in SSPLTJNE( EOME/etc/ system/local on the deployment client.

DRun $SPLUNK ROME/bin/spiunk set deploy-poi i : from the command line of the deployment server.

Answer : A, C

Question 907

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

AchannelTTL

BconnectionTimeout

CautoLBFrequency

DsecsInFailurelnterval

Answer : C

Question 908

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Aprops.conf

Bsourcetypes.conf

Ctransforms.conf

Doutputs.conf

Answer : A

Question 909

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A_license

B_lnternal

C_external

D_thefishbucket

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 910

Which of the following applies only to Splunk index data integrity check?

ALookup table

BSummary Index

CRaw data in the index

DData model acceleration

Answer : C

Question 911

Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of

users?

ALinked roles

BGrantable roles

CRole federation

DRole inheritance

Answer : D

You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

Question 912

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 913

How can native authentication be disabled in Splunk?

ARemove the $SPLUNK_HOME/etc/passwd file

BCreate an empty $SPLUNK_HOME/etc/passwd file

CSet SPLUNK_AUTHENTICATION=false in splunk-launch.conf

DSet nativeAuthentication=false in authentication.conf

Answer : B

Question 914

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 915

An admin updates the Role to Group mapping for external authentication. How does the change affect users that are currently logged into Splunk?

AUsers will continue to operate under their previous role until the next time they log into Splunk.

BSearch is disabled until users reauthenticate.

COnly newly created user accounts are affected by the role change.

DThe role update terminates the user's current session, and they have to log back in.

Answer : A

The changes to role mapping do not disrupt ongoing sessions.

Incorrect Options:

B: Search is not disabled upon role updates.

C: This is incorrect since existing users are also updated upon the next login.

D: Role updates do not terminate ongoing sessions.

References:

Splunk Docs: Configure user authentication

Question 916

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Question 917

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 918

Which Splunk configuration file is used to enable data integrity checking?

Aprops.conf

Bglobal.conf

Cindexes.conf

Ddata_integrity.conf

Answer : C

Question 919

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 920

Which of the following statements describes how distributed search works?

AForwarders pull data from the search peers.

BSearch heads store a portion of the searchable data.

CThe search head dispatches searches to the search peers.

DSearch results are replicated within the indexer cluster.

Answer : C

URL https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Configuredistributedsearch

'To activate distributed search, you add search peers, or indexers, to a Splunk Enterprise instance that you desingate as a search head. You do this by specifying each search peer manually.'

Question 921

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 922

The universal forwarder has which capabilities when sending data? (select all that apply)

ASending alerts

BCompressing data

CObfuscating/hiding data

DIndexer acknowledgement

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%20data.

Question 923

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 924

Which additional component is required for a search head cluster?

ADeployer

BCluster Master

CMonitoring Console

DManagement Console

Answer : A

Question 925

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 926

What is the default value of LINE_BREAKER?

A\r\n

B([\r\n]+)

C\r+\n+

D(\r\n+)

Answer : B

Question 927

Which of the following is the use case for the deployment server feature of Splunk?

AManaging distributed workloads in a Splunk environment.

BAutomating upgrades of Splunk forwarder installations on endpoints.

COrchestrating the operations and scale of a containerized Splunk deployment.

DUpdating configuration and distributing apps to processing components, primarily forwarders.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 928

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin reading local files on its server.

CBegin generating internal Splunk logs.

DSend an email to the operator that the installation process has completed.

Answer : C

Question 929

After how many warnings within a rolling 30-day period will a license violation occur with an enforced

Enterprise license?

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

Question 930

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Question 931

Which of the following are supported options when configuring optional network inputs?

AMetadata override, sender filtering options, network input queues (quantum queues)

BMetadata override, sender filtering options, network input queues (memory/persistent queues)

CFilename override, sender filtering options, network output queues (memory/persistent queues)

DMetadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question 932

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

Question 933

User role inheritance allows what to be inherited from the parent role? (select all that apply)

AParents

BCapabilities

CIndex access

DSearch history

Answer : B, C

https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

Question 934

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 935

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 936

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 937

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

AMap Users

BMap Groups

CMap LDAP Inheritance

DMap LDAP to Active Directory

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb

Question 938

When would the following command be used?

ATo verify' the integrity of a local index.

BTo verify the integrity of a SmartStore index.

CTo verify the integrity of a SmartStore bucket.

DTo verify the integrity of a local bucket.

Answer : D

Question 939

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin generating internal Splunk logs.

CBegin reading local files on its server.

DSend an email to the operator that the installation process has completed.

Answer : B

Question 940

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

AOn Universal Forwarder, $SPLUNK_HOME/etc/apps

BOn Deployment Server, $SPLUNK_HOME/etc/apps

COn Deployment Server, $SPLUNK_HOME/etc/deployment-apps

DOn Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Answer : C

The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps.

The other options are incorrect because:

Question 941

Where should apps be located on the deployment server that the clients pull from?

A$SFLUNK_KOME/etc/apps

B$SPLUNK_HCME/etc/sear:ch

C$SPLUNK_HCME/etc/master-apps

D$SPLUNK HCME/etc/deployment-apps

Answer : D

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

Question 942

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

Ahost

Bindex

Clinecount

Dsplunk_server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server

Question 943

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 944

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Aindex=main

Bindex=test

Cindex=summary

Dindex=_internal

Answer : D

Question 945

ensure that the masking takes place successfully?

AMake sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

BFor source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

CMake sure that props . conf and transforms . conf are both present on the Universal Forwarder.

DPlace both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Answer : D

The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

References: 1: Redact data from events - Splunk Documentation 2: Where do I configure my Splunk settings? - Splunk Documentation

Question 946

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

A_audit

B_checkpoint

C_introspection

D_thefishbucket

Answer : D

Question 947

Which of the following are methods for adding inputs in Splunk? (select all that apply)

ACLI

BSplunk Web

CEditing inputs. conf

DEditing monitor. conf

Answer : A, B, C

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Configureyourinputs

Question 948

Which of the following statements describes how distributed search works?

AForwarders pull data from the search peers.

BSearch heads store a portion of the searchable data.

CThe search head dispatches searches to the search peers.

DSearch results are replicated within the indexer cluster.

Answer : C

URL https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Configuredistributedsearch

'To activate distributed search, you add search peers, or indexers, to a Splunk Enterprise instance that you desingate as a search head. You do this by specifying each search peer manually.'

Question 949

When enabling data integrity control, where does Splunk Enterprise store the hash files for each bucket?

ASplunk Enterprise stores hash files in the logdata directory of the corresponding bucket.

BSplunk Enterprise stores hash files in the rawdata directory of the corresponding bucket.

CSplunk Enterprise stores hash files in the hashdata directory of the corresponding bucket.

DSplunk Enterprise stores hash files in the metadata directory of the corresponding bucket.

Answer : B

Data integrity controls in Splunk ensure that indexed data has not been tampered with.

When enabled, Splunk calculates hashes for each bucket and stores these hash files in the rawdata directory of the corresponding bucket.

Incorrect Options:

A, C, D: These directories do not store hash files.

References:

Splunk Docs: Configure data integrity controls

Question 950

Which of the following enables compression for universal forwarders in outputs. conf ?

AOption A

BOption B

COption C

DOption D

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

# Compression

# This example sends compressed events to the remote indexer.

# NOTE: Compression can be enabled TCP or SSL outputs only.

# The receiver input port should also have compression enabled.

[tcpout]

server = splunkServer.example.com:4433

compressed = true

Question 951

In which phase do indexed extractions in props.conf occur?

AInputs phase

BParsing phase

CIndexing phase

DSearching phase

Answer : B

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

Configurationparametersandthedatapipeline

Question 952

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 953

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

A21MB

B28MB

C14MB

D7MB

Answer : A

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata#:~:text=The%20default%20for%20the%20maxQueueSize,wait%20queue%20size%20is%2021MB.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata

Question 954

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

ADuo Administrator

BLDAP Administrator

CSAML Administrator

DTrio Administrator

Answer : A

Question 955

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 956

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

ACLI

BEdit inputs . conf

CEdit forwarder.conf

DForwarder Management

Answer : A, B, D

https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/HowtoforwarddatatoSplunkEnterprise

Question 957

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 958

Which of the following is a valid distributed search group?

A[distributedSearch:Paris] default = false servers = server1, server2

B[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Answer : D

https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Distributedsearchgroups

Question 959

There is a file with a vast amount of old dat

a. Which of the following inputs.conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?

AIgnoreOlderThan

BallowList

Cmonitor

DfollowTail

Answer : D

IgnoreOlderThan: This setting filters files for indexing based on their age. It does not prevent indexing of old data already in the file.

allowList: This setting allows specifying patterns to include files for monitoring, but it does not control indexing of pre-existing data.

monitor: This is the default method for monitoring files but does not address indexing pre-existing data.

References:

Splunk Docs: Monitor text files

Splunk Docs: Configure followTail in inputs.conf

Question 960

Local user accounts created in Splunk store passwords in which file?

A$ SFLUNK_HOME/etc/passwd

B$ SFLUNK_HOME/etc/authentication

C$ S?LUNK_HOME/etc/users/passwd.conf

D$ SPLUNK HOME/etc/users/authentication.conf

Answer : A

Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf

Question 961

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 962

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

Ahost=server1
index=unixinfo

Bhost=server1
index=searchinfo

Chost=searchsvr1
index=searchinfo

Dhost=unixsvr1
index=unixinfo

Answer : A

Question 963

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Aadmin

Bpower

Cuser

Dsplunk-system-role

Answer : B

Question 964

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 965

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

Question 966

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 967

Which Splunk configuration file is used to enable data integrity checking?

Aprops.conf

Bglobal.conf

Cindexes.conf

Ddata_integrity.conf

Answer : C

Question 968

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

AfollowTail = -45d

Bignore = 45d

CincludeNewerThan = -35d

DignoreOlderThan = 45d

Answer : D

Question 969

Event processing occurs at which phase of the data pipeline?

ASearch

BIndexing

CParsing

DInput

Answer : C

Question 970

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A_license

B_lnternal

C_external

D_thefishbucket

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 971

Which is a valid stanza for a network input?

A[udp://172.16.10.1:9997]
connection = dns
sourcetype = dns

B[any://172.16.10.1:10001]
connection_host = ip
sourcetype = web

C[tcp://172.16.10.1:9997]
connection_host = web
sourcetype = web

D[tcp://172.16.10.1:10001]
connection_host = dns
sourcetype = dns

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports

Bypassautomaticsourcetypeassignment

Question 972

Consider the following stanza in inputs.conf:

What will the value of the source filed be for events generated by this scripts input?

A/opt/splunk/ecc/apps/search/bin/liscer.sh

Bunknown

Cliscer

Dliscer.sh

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Inputsconf

-Scroll down to source = <string>

*Default: the input file path

Question 973

What is the default character encoding used by Splunk during the input phase?

AUTF-8

BUTF-16

CEBCDIC

DISO 8859

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configurecharactersetencoding

Question 974

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

ACLI

BEdit inputs . conf

CEdit forwarder.conf

DForwarder Management

Answer : A, B, D

https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/HowtoforwarddatatoSplunkEnterprise

Question 975

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 976

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 977

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 978

Which of the methods listed below supports muti-factor authentication?

ALightweight Directory Access Protocol (LDAP)

BSecurity Assertion Markup Language (SAML)

CSingle Sign-on (SSO)

DOpenlD

Answer : B

Question 979

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Aindex=main

Bindex=test

Cindex=summary

Dindex=_internal

Answer : D

Question 980

Running this search in a distributed environment:

On what Splunk component does the eval command get executed?

AHeavy Forwarders

BUniversal Forwarders

CSearch peers

DSearch heads

Answer : C

Question 981

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 982

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

ADeployer

BCluster master

CDeployment server

DSearch head cluster master

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 983

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Question 984

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

AdiskQueueSize

BdurableQueueSize

CpersistentOueueSize

DqueueSize

Answer : C

Question 985

Where should apps be located on the deployment server that the clients pull from?

A$SFLUNK_KOME/etc/apps

B$SPLUNK_HCME/etc/sear:ch

C$SPLUNK_HCME/etc/master-apps

D$SPLUNK HCME/etc/deployment-apps

Answer : D

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

Question 986

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 987

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 988

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

AUniversal forwarder

BParsing forwarder

CHeavy forwarder

DAdvanced forwarder

Answer : C

Question 989

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

AchannelTTL

BconnectionTimeout

CautoLBFrequency

DsecsInFailurelnterval

Answer : C

Question 990

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 991

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 992

When enabling data integrity control, where does Splunk Enterprise store the hash files for each bucket?

ASplunk Enterprise stores hash files in the logdata directory of the corresponding bucket.

BSplunk Enterprise stores hash files in the rawdata directory of the corresponding bucket.

CSplunk Enterprise stores hash files in the hashdata directory of the corresponding bucket.

DSplunk Enterprise stores hash files in the metadata directory of the corresponding bucket.

Answer : B

Data integrity controls in Splunk ensure that indexed data has not been tampered with.

When enabled, Splunk calculates hashes for each bucket and stores these hash files in the rawdata directory of the corresponding bucket.

Incorrect Options:

A, C, D: These directories do not store hash files.

References:

Splunk Docs: Configure data integrity controls

Question 993

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

AThe blacklist takes precedence over the whitelist.

BThe whitelist takes precedence over the blacklist.

CWildcards are not supported in any client filters.

DMachine type filters are applied before the whitelist and blacklist.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

same/td-p/390910

Question 994

Which of the following are required when defining an index in indexes. conf? (select all that apply)

AcoldPath

BhomePath

CfrozenPath

DthawedPath

Answer : A, B, D

homePath = $SPLUNK_DB/hatchdb/db

coldPath = $SPLUNK_DB/hatchdb/colddb

thawedPath = $SPLUNK_DB/hatchdb/thaweddb

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

Question 995

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 996

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

ADeployer

BCluster master

CDeployment server

DSearch head cluster master

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 997

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

ABlacklist

BWhitelist

CThey cancel each other out.

DWhichever is entered into the configuration first.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdata

Question 998

ensure that the masking takes place successfully?

AMake sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

BFor source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

CMake sure that props . conf and transforms . conf are both present on the Universal Forwarder.

DPlace both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Answer : D

The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

References: 1: Redact data from events - Splunk Documentation 2: Where do I configure my Splunk settings? - Splunk Documentation

Question 999

User role inheritance allows what to be inherited from the parent role? (select all that apply)

AParents

BCapabilities

CIndex access

DSearch history

Answer : B, C

https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

Question 1000

Which forwarder type can parse data prior to forwarding?

AUniversal forwarder

BHeaviest forwarder

CHyper forwarder

DHeavy forwarder

Answer : D

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Typesofforwarders

'A heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event.'

Question 1001

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

AIf Splunk is restarted, data will be queued and then sent when Splunk has restarted.

BLocal firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

CThe host value associated with data received will be the IP address that sent the data.

DIf Splunk is restarted, data may be lost.

Answer : D

Question 1002

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 1003

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

A_audit

B_checkpoint

C_introspection

D_thefishbucket

Answer : D

Question 1004

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 1005

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 1006

Which Splunk component requires a Forwarder license?

ASearch head

BHeavy forwarder

CHeaviest forwarder

DUniversal forwarder

Answer : B

Question 1007

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

AIndex once.

BMonitor interval.

COn-demand monitor.

DContinuously monitor.

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

Question 1008

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin reading local files on its server.

CBegin generating internal Splunk logs.

DSend an email to the operator that the installation process has completed.

Answer : C

Question 1009

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 1010

A new forwarder has been installed with a manually created deploymentclient.conf.

What is the next step to enable the communication between the forwarder and the deployment server?

ARestart Splunk on the deployment server.

BEnable the deployment client in Splunk Web under Forwarder Management.

CRestart Splunk on the deployment client.

DWait for up to the time set in the phoneHomeIntervalInSecs setting.

Answer : C

Question 1011

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 1012

Which of the following statements describes how distributed search works?

AForwarders pull data from the search peers.

BSearch heads store a portion of the searchable data.

CThe search head dispatches searches to the search peers.

DSearch results are replicated within the indexer cluster.

Answer : C

URL https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Configuredistributedsearch

'To activate distributed search, you add search peers, or indexers, to a Splunk Enterprise instance that you desingate as a search head. You do this by specifying each search peer manually.'

Question 1013

When indexing a data source, which fields are considered metadata?

Asource, host, time

Btime, sourcetype, source

Chost, raw, sourcetype

Dsourcetype, source, host

Answer : D

Question 1014

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 1015

When are knowledge bundles distributed to search peers?

AAfter a user logs in.

BWhen Splunk is restarted.

CWhen adding a new search peer.

DWhen a distributed search is initiated.

Answer : D

Question 1016

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 1017

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 1018

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

A/var/log/messages

B/var/log/maillog

C/var/log/maillog and /var/log/messages

Dnone of the above

Answer : B

Question 1019

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 1020

An admin updates the Role to Group mapping for external authentication. How does the change affect users that are currently logged into Splunk?

AUsers will continue to operate under their previous role until the next time they log into Splunk.

BSearch is disabled until users reauthenticate.

COnly newly created user accounts are affected by the role change.

DThe role update terminates the user's current session, and they have to log back in.

Answer : A

The changes to role mapping do not disrupt ongoing sessions.

Incorrect Options:

B: Search is not disabled upon role updates.

C: This is incorrect since existing users are also updated upon the next login.

D: Role updates do not terminate ongoing sessions.

References:

Splunk Docs: Configure user authentication

Question 1021

Which of the following are methods for adding inputs in Splunk? (select all that apply)

ACLI

BSplunk Web

CEditing inputs. conf

DEditing monitor. conf

Answer : A, B, C

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Configureyourinputs

Question 1022

Which of the following apply to how distributed search works? (select all that apply)

AThe search head dispatches searches to the peers

BThe search peers pull the data from the forwarders.

CPeers run searches in parallel and return their portion of results.

DThe search head consolidates the individual results and prepares reports

Answer : A, C, D

Question 1023

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 1024

Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of

users?

ALinked roles

BGrantable roles

CRole federation

DRole inheritance

Answer : D

You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

Question 1025

Within props. conf, which stanzas are valid for data modification? (select all that apply)

AHost

BServer

CSource

DSourcetype

Answer : A, C, D

https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf

'* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts.' https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

Question 1026

Which Splunk configuration file is used to enable data integrity checking?

Aprops.conf

Bglobal.conf

Cindexes.conf

Ddata_integrity.conf

Answer : C

Question 1027

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

AA token-based HTTP input that is secure and scalable and that requires the use of forwarders

BA token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

CAn agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

DA token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector

Question 1028

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

AUniversal forwarder

BParsing forwarder

CHeavy forwarder

DAdvanced forwarder

Answer : C

Question 1029

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Aindex=main

Bindex=test

Cindex=summary

Dindex=_internal

Answer : D

Question 1030

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?

AUpdate the user in Splunk web informing them that the results of their search may be incomplete.

BRepeat the search request on indexer B without informing the user.

CUpdate the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.

DInform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

Answer : A

This is explained in the Splunk documentation1, which states:

If an indexer goes down during a search, the search head notifies you that the results might be incomplete. The search head does not attempt to re-run the search on another indexer.

Question 1031

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

Question 1032

When running a real-time search, search results are pulled from which Splunk component?

AHeavy forwarders and search peers

BHeavy forwarders

CSearch heads

DSearch peers

Answer : D

Using the Splunk reference URL https://docs.splunk.com/Splexicon:Searchpeer

Question 1033

There is a file with a vast amount of old dat

a. Which of the following inputs.conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?

AIgnoreOlderThan

BallowList

Cmonitor

DfollowTail

Answer : D

IgnoreOlderThan: This setting filters files for indexing based on their age. It does not prevent indexing of old data already in the file.

allowList: This setting allows specifying patterns to include files for monitoring, but it does not control indexing of pre-existing data.

monitor: This is the default method for monitoring files but does not address indexing pre-existing data.

References:

Splunk Docs: Monitor text files

Splunk Docs: Configure followTail in inputs.conf

Question 1034

The CLI command splunk add forward-server indexer: will create stanza(s) in

which configuration file?

Ainputs.conf

Bindexes.conf

Coutputs.conf

Dservers.conf

Answer : C

https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configureforwardingwithoutputs.conf

Question 1035

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

AIndexer

BForwarder

CSearch head

DDeployment server

Answer : A

https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html

Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-p/93310

Question 1036

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 1037

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Aprops.conf

Bsourcetypes.conf

Ctransforms.conf

Doutputs.conf

Answer : A

Question 1038

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Question 1039

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 1040

Which data pipeline phase is the last opportunity for defining event boundaries?

AInput phase

BIndexing phase

CParsing phase

DSearch phase

Answer : C

Reference https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatapipeline

Question 1041

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

ABlacklist

BWhitelist

CThey cancel each other out.

DWhichever is entered into the configuration first.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdata

Question 1042

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

ADuo Administrator

BLDAP Administrator

CSAML Administrator

DTrio Administrator

Answer : A

Question 1043

After how many warnings within a rolling 30-day period will a license violation occur with an enforced

Enterprise license?

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

Question 1044

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 1045

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

AdiskQueueSize

BdurableQueueSize

CpersistentOueueSize

DqueueSize

Answer : C

Question 1046

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 1047

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

A/var/log/messages

B/var/log/maillog

C/var/log/maillog and /var/log/messages

Dnone of the above

Answer : B

Question 1048

What is the correct curl to send multiple events through HTTP Event Collector?

AOption A

BOption B

COption C

DOption D

Answer : B

Question 1049

What is the correct example to redact a plain-text password from raw events?

Ain props.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Bin props.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Cin transforms.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Din transforms.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Answer : B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.

References: 1: Redact data from events - Splunk Documentation

Question 1050

Which of the methods listed below supports muti-factor authentication?

ALightweight Directory Access Protocol (LDAP)

BSecurity Assertion Markup Language (SAML)

CSingle Sign-on (SSO)

DOpenlD

Answer : B

Question 1051

Which Splunk component does a search head primarily communicate with?

AIndexer

BForwarder

CCluster master

DDeployment server

Answer : A

Question 1052

Which of the following statements describes how distributed search works?

AForwarders pull data from the search peers.

BSearch heads store a portion of the searchable data.

CThe search head dispatches searches to the search peers.

DSearch results are replicated within the indexer cluster.

Answer : C

URL https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Configuredistributedsearch

'To activate distributed search, you add search peers, or indexers, to a Splunk Enterprise instance that you desingate as a search head. You do this by specifying each search peer manually.'

Question 1053

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 1054

Which of the following is accurate regarding the input phase?

ABreaks data into events with timestamps.

BApplies event-level transformations.

CFine-tunes metadata.

DPerforms character encoding.

Answer : D

Question 1055

What are the values for host and index for [stanza1] used by Splunk during index time, given the following configuration files?

Ahost=server1
index=unixinfo

Bhost=server1
index=searchinfo

Chost=searchsvr1
index=searchinfo

Dhost=unixsvr1
index=unixinfo

Answer : A

Question 1056

What happens when the same username exists in Splunk as well as through LDAP?

ASplunk user is automatically deleted from authentication.conf.

BLDAP settings take precedence.

CSplunk settings take precedence.

DLDAP user is automatically deleted from authentication.conf

Answer : C

Question 1057

How is a remote monitor input distributed to forwarders?

AAs an app.

BAs a forward.conf file.

CAs a monitor.conf file.

DAs a forwarder monitor profile.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents

Question 1058

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 1059

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

Question 1060

AThe receiving port is not properly setup to listen on the right port.

BThe inputs . conf'S _SYSZOG_ROVTING is not setup to use the right group names.

CThe DNS record used is not setup with a valid list of IP addresses.

DThe indexAndForward value is not set properly.

Answer : A, C

Question 1061

Running this search in a distributed environment:

On what Splunk component does the eval command get executed?

AHeavy Forwarders

BUniversal Forwarders

CSearch peers

DSearch heads

Answer : C

Question 1062

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 1063

What is the default character encoding used by Splunk during the input phase?

AUTF-8

BUTF-16

CEBCDIC

DISO 8859

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configurecharactersetencoding

Question 1064

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

Question 1065

When indexing a data source, which fields are considered metadata?

Asource, host, time

Btime, sourcetype, source

Chost, raw, sourcetype

Dsourcetype, source, host

Answer : D

Question 1066

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

ADuo Administrator

BLDAP Administrator

CSAML Administrator

DTrio Administrator

Answer : A

Question 1067

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A_license

B_lnternal

C_external

D_thefishbucket

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 1068

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin generating internal Splunk logs.

CBegin reading local files on its server.

DSend an email to the operator that the installation process has completed.

Answer : B

Question 1069

Which forwarder type can parse data prior to forwarding?

AUniversal forwarder

BHeaviest forwarder

CHyper forwarder

DHeavy forwarder

Answer : D

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Typesofforwarders

'A heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event.'

Question 1070

Which file will be matched for the following monitor stanza in inputs. conf?

[monitor: ///var/log/*/bar/*. txt]

A/var/log/host_460352847/temp/bar/file/csv/foo.txt

B/var/log/host_460352847/bar/foo.txt

C/var/log/host_460352847/bar/file/foo.txt

D/var/ log/ host_460352847/temp/bar/file/foo.txt

Answer : C

The correct answer is C. /var/log/host_460352847/bar/file/foo.txt.

The monitor stanza in inputs.conf is used to configure Splunk to monitor files and directories for new data. The monitor stanza has the following syntax1:

[monitor://<input path>]

Therefore, the file /var/log/host_460352847/bar/file/foo.txt will be matched by the monitor stanza, as it meets the criteria. The other files will not be matched, because:

A . /var/log/host_460352847/temp/bar/file/csv/foo.txt has a .csv extension, not a .txt extension.

B . /var/log/host_460352847/bar/foo.txt is not located in a subdirectory under the bar directory, but directly in the bar directory.

D . /var/log/host_460352847/temp/bar/file/foo.txt is located in a subdirectory named file under the bar directory, not directly in the bar directory.

Question 1071

In inputs. conf, which stanza would mean Splunk was only reading one local file?

A[read://opt/log/crashlog/Jan27crash.txt]

B[monitor::/ opt/log/crashlog/Jan27crash.txt]

C[monitor:/// opt/log/]

D[monitor:/// opt/log/ crashlog/Jan27crash.txt]

Answer : B

Question 1072

Which of the following methods will connect a deployment client to a deployment server? (select all that apply)

ARun $SPLUNK_ROME/bin/ splunk set deploy-poll : from the command line of the deployment client.

BCreate and edit a deploymentserver . conf file in SSPLVNE{ on the deployment server.

CCreate and edit a deploymentclient . conf file in SSPLTJNE( EOME/etc/ system/local on the deployment client.

DRun $SPLUNK ROME/bin/spiunk set deploy-poi i : from the command line of the deployment server.

Answer : A, C

Question 1073

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

A/var/log/messages

B/var/log/maillog

C/var/log/maillog and /var/log/messages

Dnone of the above

Answer : B

Question 1074

In which phase do indexed extractions in props.conf occur?

AInputs phase

BParsing phase

CIndexing phase

DSearching phase

Answer : B

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

Configurationparametersandthedatapipeline

Question 1075

What is the correct order of steps in Duo Multifactor Authentication?

A1 Request Login
2. Connect to SAML server
3 Duo MFA
4 Create User session
5 Authentication Granted 6. Log into Splunk

B1. Request Login 2 Duo MFA
3. Authentication Granted 4 Connect to SAML server
5. Log into Splunk
6. Create User session

C1 Request Login
2 Check authentication / group mapping
3 Authentication Granted
4. Duo MFA
5. Create User session
6. Log into Splunk

D1 Request Login 2 Duo MFA
3. Check authentication / group mapping
4 Create User session
5. Authentication Granted
6 Log into Splunk

Answer : C

Using the provided DUO/Splunk reference URL https://duo.com/docs/splunk

Scroll down to the Network Diagram section and note the following 6 similar steps

1 - SPlunk connection initiated

2 - Primary authentication

3 - Splunk connection established to Duo Security over TCP port 443

4 - Secondary authentication via Duo Security's service

5 - Splunk receives authentication response

6 - Splunk session logged in.

Question 1076

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 1077

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?

AchannelTTL

BconnectionTimeout

CautoLBFrequency

DsecsInFailurelnterval

Answer : C

Question 1078

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

AIf Splunk is restarted, data will be queued and then sent when Splunk has restarted.

BLocal firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

CThe host value associated with data received will be the IP address that sent the data.

DIf Splunk is restarted, data may be lost.

Answer : D

Question 1079

Which is a valid stanza for a network input?

A[udp://172.16.10.1:9997]
connection = dns
sourcetype = dns

B[any://172.16.10.1:10001]
connection_host = ip
sourcetype = web

C[tcp://172.16.10.1:9997]
connection_host = web
sourcetype = web

D[tcp://172.16.10.1:10001]
connection_host = dns
sourcetype = dns

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports

Bypassautomaticsourcetypeassignment

Question 1080

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 1081

An admin updates the Role to Group mapping for external authentication. How does the change affect users that are currently logged into Splunk?

AUsers will continue to operate under their previous role until the next time they log into Splunk.

BSearch is disabled until users reauthenticate.

COnly newly created user accounts are affected by the role change.

DThe role update terminates the user's current session, and they have to log back in.

Answer : A

The changes to role mapping do not disrupt ongoing sessions.

Incorrect Options:

B: Search is not disabled upon role updates.

C: This is incorrect since existing users are also updated upon the next login.

D: Role updates do not terminate ongoing sessions.

References:

Splunk Docs: Configure user authentication

Question 1082

When running a real-time search, search results are pulled from which Splunk component?

AHeavy forwarders and search peers

BHeavy forwarders

CSearch heads

DSearch peers

Answer : D

Using the Splunk reference URL https://docs.splunk.com/Splexicon:Searchpeer

Question 1083

Which of the following is the use case for the deployment server feature of Splunk?

AManaging distributed workloads in a Splunk environment.

BAutomating upgrades of Splunk forwarder installations on endpoints.

COrchestrating the operations and scale of a containerized Splunk deployment.

DUpdating configuration and distributing apps to processing components, primarily forwarders.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 1084

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 1085

How often does Splunk recheck the LDAP server?

AEvery 5 minutes

BEach time a user logs in

CEach time Splunk is restarted

DVaries based on LDAP_refresh setting.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP

Question 1086

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 1087

Within props. conf, which stanzas are valid for data modification? (select all that apply)

AHost

BServer

CSource

DSourcetype

Answer : A, C, D

https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf

'* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts.' https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

Question 1088

Which of the following is valid distribute search group?

Aoption A

BOption B

COption C

DOption D

Answer : D

Question 1089

Where should apps be located on the deployment server that the clients pull from?

A$SFLUNK_KOME/etc/apps

B$SPLUNK_HCME/etc/sear:ch

C$SPLUNK_HCME/etc/master-apps

D$SPLUNK HCME/etc/deployment-apps

Answer : D

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

Question 1090

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

Question 1091

What is the default value of LINE_BREAKER?

A\r\n

B([\r\n]+)

C\r+\n+

D(\r\n+)

Answer : B

Question 1092

Which of the following methods will connect a deployment client to a deployment server? (select all that apply)

ARun $SPLUNK_ROME/bin/ splunk set deploy-poll : from the command line of the deployment client.

BCreate and edit a deploymentserver . conf file in SSPLVNE{ on the deployment server.

CCreate and edit a deploymentclient . conf file in SSPLTJNE( EOME/etc/ system/local on the deployment client.

DRun $SPLUNK ROME/bin/spiunk set deploy-poi i : from the command line of the deployment server.

Answer : A, C

Question 1093

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

AMAX_TIMESTAMP_L0CKAHEAD = 5

BMAX_TIMESTAMP_LOOKAHEAD - 10

CMAX_TIMESTAMF_LOOKHEAD = 20

DMAX TIMESTAMP LOOKAHEAD - 30

Answer : D

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Question 1094

What happens when there are conflicting settings within two or more configuration files?

AThe setting is ignored until conflict is resolved.

BThe setting for both values will be used together.

CThe setting with the lowest precedence is used.

DThe setting with the highest precedence is used.

Answer : D

Question 1095

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

A21MB

B28MB

C14MB

D7MB

Answer : A

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata#:~:text=The%20default%20for%20the%20maxQueueSize,wait%20queue%20size%20is%2021MB.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata

Question 1096

Event:

[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

ASEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g

BSEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g

CSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g

DSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata

Scrolling down to the section titled 'Define the sed script in props.conf shows the correct syntax of an example which validates that the number/character /1 immediately preceded the /g

Question 1097

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 1098

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 1099

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 1100

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?

AUpdate the user in Splunk web informing them that the results of their search may be incomplete.

BRepeat the search request on indexer B without informing the user.

CUpdate the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.

DInform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

Answer : A

This is explained in the Splunk documentation1, which states:

If an indexer goes down during a search, the search head notifies you that the results might be incomplete. The search head does not attempt to re-run the search on another indexer.

Question 1101

When indexing a data source, which fields are considered metadata?

Asource, host, time

Btime, sourcetype, source

Chost, raw, sourcetype

Dsourcetype, source, host

Answer : D

Question 1102

Which artifact is required in the request header when creating an HTTP event?

AackID

BToken

CManifest

DHost name

Answer : B

Question 1103

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 1104

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 1105

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

Question 1106

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 1107

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

ATo ensure that hot buckets are still open for writes and have not been forced to roll to a cold state

BTo ensure that configuration files have not been tampered with for auditing and/or legal purposes

CTo ensure that user passwords have not been tampered with for auditing and/or legal purposes.

DTo ensure that data has not been tampered with for auditing and/or legal purposes

Answer : D

Question 1108

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

AThe blacklist takes precedence over the whitelist.

BThe whitelist takes precedence over the blacklist.

CWildcards are not supported in any client filters.

DMachine type filters are applied before the whitelist and blacklist.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

same/td-p/390910

Question 1109

Which is a valid stanza for a network input?

A[udp://172.16.10.1:9997]
connection = dns
sourcetype = dns

B[any://172.16.10.1:10001]
connection_host = ip
sourcetype = web

C[tcp://172.16.10.1:9997]
connection_host = web
sourcetype = web

D[tcp://172.16.10.1:10001]
connection_host = dns
sourcetype = dns

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports

Bypassautomaticsourcetypeassignment

Question 1110

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

Question 1111

Event processing occurs at which phase of the data pipeline?

ASearch

BIndexing

CParsing

DInput

Answer : C

Question 1112

How is data handled by Splunk during the input phase of the data ingestion process?

AData is treated as streams.

BData is broken up into events.

CData is initially written to disk.

DData is measured by the license meter.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

'In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys.'

Question 1113

The CLI command splunk add forward-server indexer: will create stanza(s) in

which configuration file?

Ainputs.conf

Bindexes.conf

Coutputs.conf

Dservers.conf

Answer : C

https://docs.splunk.com/Documentation/Forwarder/8.2.2/Forwarder/Configureforwardingwithoutputs.conf

Question 1114

During search time, which directory of configuration files has the highest precedence?

A$SFLUNK_KOME/etc/system/local

B$SPLUNK_KCME/etc/system/default

C$SPLUNK_HCME/etc/apps/app1/local

D$SPLUNK HCME/etc/users/admin/local

Answer : D

Adding further clarity and quoting same Splunk reference URL from @giubal'

1.Slave-app local directories -- highest priority

2. System local directory

3. App local directories

4. Slave-app default directories

5. App default directories

6. System default directory --lowest priority

Question 1115

What are the minimum required settings when creating a network input in Splunk?

AProtocol, port number

BProtocol, port, location

CProtocol, username, port

DProtocol, IP. port number

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf

[tcp://<remote server>:]

*Configures the input to listen on a specific TCP network port.

*If a <remote server> makes a connection to this instance, the input uses this stanza to configure itself.

*If you do not specify <remote server>, this stanza matches all connections on the specified port.

*Generates events with source set to 'tcp:', for example: tcp:514

*If you do not specify a sourcetype, generates events with sourcetype set to 'tcp-raw'

Question 1116

Which of the following is the use case for the deployment server feature of Splunk?

AManaging distributed workloads in a Splunk environment.

BAutomating upgrades of Splunk forwarder installations on endpoints.

COrchestrating the operations and scale of a containerized Splunk deployment.

DUpdating configuration and distributing apps to processing components, primarily forwarders.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 1117

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 1118

User role inheritance allows what to be inherited from the parent role? (select all that apply)

AParents

BCapabilities

CIndex access

DSearch history

Answer : B, C

https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

Question 1119

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

AMAX_TIMESTAMP_L0CKAHEAD = 5

BMAX_TIMESTAMP_LOOKAHEAD - 10

CMAX_TIMESTAMF_LOOKHEAD = 20

DMAX TIMESTAMP LOOKAHEAD - 30

Answer : D

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Question 1120

Which of the following applies only to Splunk index data integrity check?

ALookup table

BSummary Index

CRaw data in the index

DData model acceleration

Answer : C

Question 1121

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

ADuo Administrator

BLDAP Administrator

CSAML Administrator

DTrio Administrator

Answer : A

Question 1122

Which file will be matched for the following monitor stanza in inputs. conf?

[monitor: ///var/log/*/bar/*. txt]

A/var/log/host_460352847/temp/bar/file/csv/foo.txt

B/var/log/host_460352847/bar/foo.txt

C/var/log/host_460352847/bar/file/foo.txt

D/var/ log/ host_460352847/temp/bar/file/foo.txt

Answer : C

The correct answer is C. /var/log/host_460352847/bar/file/foo.txt.

The monitor stanza in inputs.conf is used to configure Splunk to monitor files and directories for new data. The monitor stanza has the following syntax1:

[monitor://<input path>]

Therefore, the file /var/log/host_460352847/bar/file/foo.txt will be matched by the monitor stanza, as it meets the criteria. The other files will not be matched, because:

A . /var/log/host_460352847/temp/bar/file/csv/foo.txt has a .csv extension, not a .txt extension.

B . /var/log/host_460352847/bar/foo.txt is not located in a subdirectory under the bar directory, but directly in the bar directory.

D . /var/log/host_460352847/temp/bar/file/foo.txt is located in a subdirectory named file under the bar directory, not directly in the bar directory.

Question 1123

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

AfollowTail = -45d

Bignore = 45d

CincludeNewerThan = -35d

DignoreOlderThan = 45d

Answer : D

Question 1124

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

AREGEX, DEST. FORMAT

BREGEX. SRC_KEY, FORMAT

CREGEX, DEST_KEY, FORMAT

DREGEX, DEST_KEY FORMATTING

Answer : C

REGEX = <regular expression>

* Enter a regular expression to operate on your data.

FORMAT = <string>

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = <key>

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

Question 1125

To set up a Network input in Splunk, what needs to be specified'?

AFile path.

BUsername and password

CNetwork protocol and port number.

DNetwork protocol and MAC address.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitornetworkports

Question 1126

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

ALDAP

BSAML

CRADIUS

DDuo Multifactor Authentication

Answer : A, B, C

Question 1127

Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of

users?

ALinked roles

BGrantable roles

CRole federation

DRole inheritance

Answer : D

You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

Question 1128

Which of the following is accurate regarding the input phase?

ABreaks data into events with timestamps.

BApplies event-level transformations.

CFine-tunes metadata.

DPerforms character encoding.

Answer : D

Question 1129

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 1130

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 1131

Which of the following authentication types requires scripting in Splunk?

AADFS

BLDAP

CSAML

DRADIUS

Answer : D

https://answers.splunk.com/answers/131127/scripted-authentication.html

Question 1132

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

Question 1133

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 1134

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

Question 1135

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 1136

How often does Splunk recheck the LDAP server?

AEvery 5 minutes

BEach time a user logs in

CEach time Splunk is restarted

DVaries based on LDAP_refresh setting.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP

Question 1137

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 1138

AThe receiving port is not properly setup to listen on the right port.

BThe inputs . conf'S _SYSZOG_ROVTING is not setup to use the right group names.

CThe DNS record used is not setup with a valid list of IP addresses.

DThe indexAndForward value is not set properly.

Answer : A, C

Question 1139

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

AAny OS platform

BLinux platform only

CWindows platform only.

DNone of the above.

Answer : A

'The forwarder/indexer relationship can be considered platform agnostic (within the sphere of supported platforms) because they exchange their data handshake (and the data, if you wish) over TCP.

Question 1140

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

Ahost

Bindex

Clinecount

Dsplunk_server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server

Question 1141

When using license pools, volume allocations apply to which Splunk components?

AIndexers

BIndexes

CHeavy Forwarders

DSearch Heads

Answer : A

Question 1142

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 1143

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 1144

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

AOn Universal Forwarder, $SPLUNK_HOME/etc/apps

BOn Deployment Server, $SPLUNK_HOME/etc/apps

COn Deployment Server, $SPLUNK_HOME/etc/deployment-apps

DOn Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Answer : C

The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps.

The other options are incorrect because:

Question 1145

After how many warnings within a rolling 30-day period will a license violation occur with an enforced

Enterprise license?

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

Question 1146

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

AApp Class

BClient Class

CServer Class

DForwarder Class

Answer : C

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 1147

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

Question 1148

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

AREGEX, DEST. FORMAT

BREGEX. SRC_KEY, FORMAT

CREGEX, DEST_KEY, FORMAT

DREGEX, DEST_KEY FORMATTING

Answer : C

REGEX = <regular expression>

* Enter a regular expression to operate on your data.

FORMAT = <string>

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = <key>

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

Question 1149

Which additional component is required for a search head cluster?

ADeployer

BCluster Master

CMonitoring Console

DManagement Console

Answer : A

Question 1150

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 1151

Which of the following is accurate regarding the input phase?

ABreaks data into events with timestamps.

BApplies event-level transformations.

CFine-tunes metadata.

DPerforms character encoding.

Answer : D

Question 1152

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 1153

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 1154

How can native authentication be disabled in Splunk?

ARemove the $SPLUNK_HOME/etc/passwd file

BCreate an empty $SPLUNK_HOME/etc/passwd file

CSet SPLUNK_AUTHENTICATION=false in splunk-launch.conf

DSet nativeAuthentication=false in authentication.conf

Answer : B

Question 1155

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 1156

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

A21MB

B28MB

C14MB

D7MB

Answer : A

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata#:~:text=The%20default%20for%20the%20maxQueueSize,wait%20queue%20size%20is%2021MB.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata

Question 1157

What is the correct example to redact a plain-text password from raw events?

Ain props.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Bin props.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Cin transforms.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Din transforms.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Answer : B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.

References: 1: Redact data from events - Splunk Documentation

Question 1158

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 1159

When would the following command be used?

ATo verify' the integrity of a local index.

BTo verify the integrity of a SmartStore index.

CTo verify the integrity of a SmartStore bucket.

DTo verify the integrity of a local bucket.

Answer : D

Question 1160

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations

found in props.conf to be validated all through the UI?

AApps

BSearch

CData preview

DForwarder inputs

Answer : C

http://www.splunk.com/view/SP-CAAAGPR

Question 1161

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

Question 1162

There is a file with a vast amount of old dat

a. Which of the following inputs.conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?

AIgnoreOlderThan

BallowList

Cmonitor

DfollowTail

Answer : D

IgnoreOlderThan: This setting filters files for indexing based on their age. It does not prevent indexing of old data already in the file.

allowList: This setting allows specifying patterns to include files for monitoring, but it does not control indexing of pre-existing data.

monitor: This is the default method for monitoring files but does not address indexing pre-existing data.

References:

Splunk Docs: Monitor text files

Splunk Docs: Configure followTail in inputs.conf

Question 1163

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 1164

Which Splunk component requires a Forwarder license?

ASearch head

BHeavy forwarder

CHeaviest forwarder

DUniversal forwarder

Answer : B

Question 1165

How can native authentication be disabled in Splunk?

ARemove the $SPLUNK_HOME/etc/passwd file

BCreate an empty $SPLUNK_HOME/etc/passwd file

CSet SPLUNK_AUTHENTICATION=false in splunk-launch.conf

DSet nativeAuthentication=false in authentication.conf

Answer : B

Question 1166

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

ADeployer

BCluster master

CDeployment server

DSearch head cluster master

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 1167

Which of the following statements describe deployment management? (select all that apply)

ARequires an Enterprise license

BIs responsible for sending apps to forwarders.

COnce used, is the only way to manage forwarders

DCan automatically restart the host OS running the forwarder.

Answer : A, B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%20requirements,do%20not%20index%20external%20data.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 1168

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 1169

Which of the following apply to how distributed search works? (select all that apply)

AThe search head dispatches searches to the peers

BThe search peers pull the data from the forwarders.

CPeers run searches in parallel and return their portion of results.

DThe search head consolidates the individual results and prepares reports

Answer : A, C, D

Question 1170

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

AA token-based HTTP input that is secure and scalable and that requires the use of forwarders

BA token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

CAn agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

DA token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector

Question 1171

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

ADisk

BCPUs

CMemory

DNetwork interface cards

Answer : B

https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCarchitecture

Question 1172

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

Abucketdb

Bfrozendb

Ccolddb

Ddb

Answer : C, D

Question 1173

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 1174

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

AREGEX, DEST. FORMAT

BREGEX. SRC_KEY, FORMAT

CREGEX, DEST_KEY, FORMAT

DREGEX, DEST_KEY FORMATTING

Answer : C

REGEX = <regular expression>

* Enter a regular expression to operate on your data.

FORMAT = <string>

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = <key>

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

Question 1175

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 1176

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

ALDAP

BSAML

CRADIUS

DDuo Multifactor Authentication

Answer : A, B, C

Question 1177

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin generating internal Splunk logs.

CBegin reading local files on its server.

DSend an email to the operator that the installation process has completed.

Answer : B

Question 1178

After how many warnings within a rolling 30-day period will a license violation occur with an enforced

Enterprise license?

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

Question 1179

When using license pools, volume allocations apply to which Splunk components?

AIndexers

BIndexes

CHeavy Forwarders

DSearch Heads

Answer : A

Question 1180

When would the following command be used?

ATo verify' the integrity of a local index.

BTo verify the integrity of a SmartStore index.

CTo verify the integrity of a SmartStore bucket.

DTo verify the integrity of a local bucket.

Answer : D

Question 1181

In inputs. conf, which stanza would mean Splunk was only reading one local file?

A[read://opt/log/crashlog/Jan27crash.txt]

B[monitor::/ opt/log/crashlog/Jan27crash.txt]

C[monitor:/// opt/log/]

D[monitor:/// opt/log/ crashlog/Jan27crash.txt]

Answer : B

Question 1182

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

AfollowTail = -45d

Bignore = 45d

CincludeNewerThan = -35d

DignoreOlderThan = 45d

Answer : D

Question 1183

Which additional component is required for a search head cluster?

ADeployer

BCluster Master

CMonitoring Console

DManagement Console

Answer : A

Question 1184

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

AOn Universal Forwarder, $SPLUNK_HOME/etc/apps

BOn Deployment Server, $SPLUNK_HOME/etc/apps

COn Deployment Server, $SPLUNK_HOME/etc/deployment-apps

DOn Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Answer : C

The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps.

The other options are incorrect because:

Question 1185

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

ADeployer

BCluster master

CDeployment server

DSearch head cluster master

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 1186

Which of the following is a valid distributed search group?

A[distributedSearch:Paris] default = false servers = server1, server2

B[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Answer : D

https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Distributedsearchgroups

Question 1187

Event processing occurs at which phase of the data pipeline?

ASearch

BIndexing

CParsing

DInput

Answer : C

Question 1188

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

A21MB

B28MB

C14MB

D7MB

Answer : A

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata#:~:text=The%20default%20for%20the%20maxQueueSize,wait%20queue%20size%20is%2021MB.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata

Question 1189

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 1190

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 1191

Which of the following are supported options when configuring optional network inputs?

AMetadata override, sender filtering options, network input queues (quantum queues)

BMetadata override, sender filtering options, network input queues (memory/persistent queues)

CFilename override, sender filtering options, network output queues (memory/persistent queues)

DMetadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question 1192

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 1193

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 1194

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

AIndexer

BDeployer

CForwarder

DDeployment server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations

First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 1195

Local user accounts created in Splunk store passwords in which file?

A$ SFLUNK_HOME/etc/passwd

B$ SFLUNK_HOME/etc/authentication

C$ S?LUNK_HOME/etc/users/passwd.conf

D$ SPLUNK HOME/etc/users/authentication.conf

Answer : A

Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf

Question 1196

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

AEnable indexer acknowledgment.

BEnable forwarder acknowledgment.

Csplunk check-integrity -index <index name>

Dindex=_internal component=ACK | stats count by host

Answer : A

Per the provided Splunk reference URL

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Question 1197

When running a real-time search, search results are pulled from which Splunk component?

AHeavy forwarders and search peers

BHeavy forwarders

CSearch heads

DSearch peers

Answer : D

Using the Splunk reference URL https://docs.splunk.com/Splexicon:Searchpeer

Question 1198

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 1199

When would the following command be used?

ATo verify' the integrity of a local index.

BTo verify the integrity of a SmartStore index.

CTo verify the integrity of a SmartStore bucket.

DTo verify the integrity of a local bucket.

Answer : D

Question 1200

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

AIndexer

BForwarder

CSearch head

DDeployment server

Answer : A

https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html

Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-p/93310

Question 1201

Which of the following types of data count against the license daily quota?

AReplicated data

Bsplunkd logs

CSummary index data

DWindows internal logs

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Distdeploylicenses#Clustered_deployments_and_licensing_issues

Question 1202

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

AThe blacklist takes precedence over the whitelist.

BThe whitelist takes precedence over the blacklist.

CWildcards are not supported in any client filters.

DMachine type filters are applied before the whitelist and blacklist.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

same/td-p/390910

Question 1203

Which of the following is valid distribute search group?

Aoption A

BOption B

COption C

DOption D

Answer : D

Question 1204

How is a remote monitor input distributed to forwarders?

AAs an app.

BAs a forward.conf file.

CAs a monitor.conf file.

DAs a forwarder monitor profile.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents

Question 1205

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 1206

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

AApp Class

BClient Class

CServer Class

DForwarder Class

Answer : C

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 1207

When using license pools, volume allocations apply to which Splunk components?

AIndexers

BIndexes

CHeavy Forwarders

DSearch Heads

Answer : A

Question 1208

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 1209

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 1210

How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON

Aoption A

BOption B

COption C

DOption D

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups

Question 1211

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 1212

What is the default value of LINE_BREAKER?

A\r\n

B([\r\n]+)

C\r+\n+

D(\r\n+)

Answer : B

Question 1213

What is the correct curl to send multiple events through HTTP Event Collector?

AOption A

BOption B

COption C

DOption D

Answer : B

Question 1214

When indexing a data source, which fields are considered metadata?

Asource, host, time

Btime, sourcetype, source

Chost, raw, sourcetype

Dsourcetype, source, host

Answer : D

Question 1215

When would the following command be used?

ATo verify' the integrity of a local index.

BTo verify the integrity of a SmartStore index.

CTo verify the integrity of a SmartStore bucket.

DTo verify the integrity of a local bucket.

Answer : D

Question 1216

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

AMAX_TIMESTAMP_L0CKAHEAD = 5

BMAX_TIMESTAMP_LOOKAHEAD - 10

CMAX_TIMESTAMF_LOOKHEAD = 20

DMAX TIMESTAMP LOOKAHEAD - 30

Answer : D

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Question 1217

How can native authentication be disabled in Splunk?

ARemove the $SPLUNK_HOME/etc/passwd file

BCreate an empty $SPLUNK_HOME/etc/passwd file

CSet SPLUNK_AUTHENTICATION=false in splunk-launch.conf

DSet nativeAuthentication=false in authentication.conf

Answer : B

Question 1218

Local user accounts created in Splunk store passwords in which file?

A$ SFLUNK_HOME/etc/passwd

B$ SFLUNK_HOME/etc/authentication

C$ S?LUNK_HOME/etc/users/passwd.conf

D$ SPLUNK HOME/etc/users/authentication.conf

Answer : A

Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf

Question 1219

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

A/var/log/messages

B/var/log/maillog

C/var/log/maillog and /var/log/messages

Dnone of the above

Answer : B

Question 1220

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

ACLI

BEdit inputs . conf

CEdit forwarder.conf

DForwarder Management

Answer : A, B, D

https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/HowtoforwarddatatoSplunkEnterprise

Question 1221

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 1222

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 1223

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

AREGEX, DEST. FORMAT

BREGEX. SRC_KEY, FORMAT

CREGEX, DEST_KEY, FORMAT

DREGEX, DEST_KEY FORMATTING

Answer : C

REGEX = <regular expression>

* Enter a regular expression to operate on your data.

FORMAT = <string>

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = <key>

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

Question 1224

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 1225

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

AA token-based HTTP input that is secure and scalable and that requires the use of forwarders

BA token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

CAn agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

DA token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector

Question 1226

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

Question 1227

Which is a valid stanza for a network input?

A[udp://172.16.10.1:9997]
connection = dns
sourcetype = dns

B[any://172.16.10.1:10001]
connection_host = ip
sourcetype = web

C[tcp://172.16.10.1:9997]
connection_host = web
sourcetype = web

D[tcp://172.16.10.1:10001]
connection_host = dns
sourcetype = dns

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports

Bypassautomaticsourcetypeassignment

Question 1228

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

AOn Universal Forwarder, $SPLUNK_HOME/etc/apps

BOn Deployment Server, $SPLUNK_HOME/etc/apps

COn Deployment Server, $SPLUNK_HOME/etc/deployment-apps

DOn Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Answer : C

The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps.

The other options are incorrect because:

Question 1229

ensure that the masking takes place successfully?

AMake sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

BFor source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

CMake sure that props . conf and transforms . conf are both present on the Universal Forwarder.

DPlace both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Answer : D

The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

References: 1: Redact data from events - Splunk Documentation 2: Where do I configure my Splunk settings? - Splunk Documentation

Question 1230

What happens when there are conflicting settings within two or more configuration files?

AThe setting is ignored until conflict is resolved.

BThe setting for both values will be used together.

CThe setting with the lowest precedence is used.

DThe setting with the highest precedence is used.

Answer : D

Question 1231

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 1232

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

AIndexer

BForwarder

CSearch head

DDeployment server

Answer : A

https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html

Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-p/93310

Question 1233

Which of the following is an acceptable channel value when using the HTTP Event Collector indexer acknowledgment capability?

AGUID

BDNS

CHash Checksum

DIP Address

Answer : A

The HTTP Event Collector (HEC) supports indexer acknowledgment to confirm event delivery. Each acknowledgment is associated with a unique GUID (Globally Unique Identifier).

GUID ensures events are not re-indexed in the case of retries.

Incorrect Options:

B, C, D: These are not valid channel values in HEC acknowledgments.

References:

Splunk Docs: Use indexer acknowledgment with HTTP Event Collector

Question 1234

Consider the following stanza in inputs.conf:

What will the value of the source filed be for events generated by this scripts input?

A/opt/splunk/ecc/apps/search/bin/liscer.sh

Bunknown

Cliscer

Dliscer.sh

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Inputsconf

-Scroll down to source = <string>

*Default: the input file path

Question 1235

Which of the following monitor inputs stanza headers would match all of the following files?

/var/log/www1/secure.log

/var/log/www/secure.l

/var/log/www/logs/secure.logs

/var/log/www2/secure.log

A[monitor:///var/log/.../secure.*

B[monitor:///var/log/www1/secure.*]

C[monitor:///var/log/www1/secure.log]

D[monitor:///var/log/www*/secure.*]

Answer : C

Question 1236

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 1237

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 1238

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 1239

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 1240

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

AdiskQueueSize

BdurableQueueSize

CpersistentOueueSize

DqueueSize

Answer : C

Question 1241

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

ADeployer

BCluster master

CDeployment server

DSearch head cluster master

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 1242

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin reading local files on its server.

CBegin generating internal Splunk logs.

DSend an email to the operator that the installation process has completed.

Answer : C

Question 1243

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

AIf Splunk is restarted, data will be queued and then sent when Splunk has restarted.

BLocal firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

CThe host value associated with data received will be the IP address that sent the data.

DIf Splunk is restarted, data may be lost.

Answer : D

Question 1244

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 1245

What is the correct example to redact a plain-text password from raw events?

Ain props.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Bin props.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Cin transforms.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Din transforms.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Answer : B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.

References: 1: Redact data from events - Splunk Documentation

Question 1246

Which Splunk configuration file is used to enable data integrity checking?

Aprops.conf

Bglobal.conf

Cindexes.conf

Ddata_integrity.conf

Answer : C

Question 1247

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 1248

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 1249

Which valid bucket types are searchable? (select all that apply)

AHot buckets

BCold buckets

CWarm buckets

DFrozen buckets

Answer : A, B, C

Hot/warm/cold/thawed bucket types are searchable. Frozen isn't searchable because its either deleted at that state or archived.

Question 1250

User role inheritance allows what to be inherited from the parent role? (select all that apply)

AParents

BCapabilities

CIndex access

DSearch history

Answer : B, C

https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

Question 1251

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 1252

A new forwarder has been installed with a manually created deploymentclient.conf.

What is the next step to enable the communication between the forwarder and the deployment server?

ARestart Splunk on the deployment server.

BEnable the deployment client in Splunk Web under Forwarder Management.

CRestart Splunk on the deployment client.

DWait for up to the time set in the phoneHomeIntervalInSecs setting.

Answer : C

Question 1253

Which of the following are reasons to create separate indexes? (Choose all that apply.)

ADifferent retention times.

BIncrease number of users.

CRestrict user permissions.

DFile organization.

Answer : A, C

Question 1254

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

ALDAP

BSAML

CRADIUS

DDuo Multifactor Authentication

Answer : A, B, C

Question 1255

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

AThe blacklist takes precedence over the whitelist.

BThe whitelist takes precedence over the blacklist.

CWildcards are not supported in any client filters.

DMachine type filters are applied before the whitelist and blacklist.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

same/td-p/390910

Question 1256

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

Abucketdb

Bfrozendb

Ccolddb

Ddb

Answer : C, D

Question 1257

What is the correct order of steps in Duo Multifactor Authentication?

A1 Request Login
2. Connect to SAML server
3 Duo MFA
4 Create User session
5 Authentication Granted 6. Log into Splunk

B1. Request Login 2 Duo MFA
3. Authentication Granted 4 Connect to SAML server
5. Log into Splunk
6. Create User session

C1 Request Login
2 Check authentication / group mapping
3 Authentication Granted
4. Duo MFA
5. Create User session
6. Log into Splunk

D1 Request Login 2 Duo MFA
3. Check authentication / group mapping
4 Create User session
5. Authentication Granted
6 Log into Splunk

Answer : C

Using the provided DUO/Splunk reference URL https://duo.com/docs/splunk

Scroll down to the Network Diagram section and note the following 6 similar steps

1 - SPlunk connection initiated

2 - Primary authentication

3 - Splunk connection established to Duo Security over TCP port 443

4 - Secondary authentication via Duo Security's service

5 - Splunk receives authentication response

6 - Splunk session logged in.

Question 1258

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 1259

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

Question 1260

What is the correct curl to send multiple events through HTTP Event Collector?

AOption A

BOption B

COption C

DOption D

Answer : B

Question 1261

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

AA token-based HTTP input that is secure and scalable and that requires the use of forwarders

BA token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

CAn agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

DA token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector

Question 1262

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 1263

Which of the following is accurate regarding the input phase?

ABreaks data into events with timestamps.

BApplies event-level transformations.

CFine-tunes metadata.

DPerforms character encoding.

Answer : D

Question 1264

When using license pools, volume allocations apply to which Splunk components?

AIndexers

BIndexes

CHeavy Forwarders

DSearch Heads

Answer : A

Question 1265

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 1266

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 1267

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

AfollowTail = -45d

Bignore = 45d

CincludeNewerThan = -35d

DignoreOlderThan = 45d

Answer : D

Question 1268

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

A21MB

B28MB

C14MB

D7MB

Answer : A

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata#:~:text=The%20default%20for%20the%20maxQueueSize,wait%20queue%20size%20is%2021MB.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata

Question 1269

Which Splunk component does a search head primarily communicate with?

AIndexer

BForwarder

CCluster master

DDeployment server

Answer : A

Question 1270

What happens when the same username exists in Splunk as well as through LDAP?

ASplunk user is automatically deleted from authentication.conf.

BLDAP settings take precedence.

CSplunk settings take precedence.

DLDAP user is automatically deleted from authentication.conf

Answer : C

Question 1271

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 1272

Which of the following are reasons to create separate indexes? (Choose all that apply.)

ADifferent retention times.

BIncrease number of users.

CRestrict user permissions.

DFile organization.

Answer : A, C

Question 1273

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 1274

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 1275

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 1276

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

AThe blacklist takes precedence over the whitelist.

BThe whitelist takes precedence over the blacklist.

CWildcards are not supported in any client filters.

DMachine type filters are applied before the whitelist and blacklist.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

same/td-p/390910

Question 1277

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Aprops.conf

Bsourcetypes.conf

Ctransforms.conf

Doutputs.conf

Answer : A

Question 1278

Which additional component is required for a search head cluster?

ADeployer

BCluster Master

CMonitoring Console

DManagement Console

Answer : A

Question 1279

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 1280

Which of the following types of data count against the license daily quota?

AReplicated data

Bsplunkd logs

CSummary index data

DWindows internal logs

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Distdeploylicenses#Clustered_deployments_and_licensing_issues

Question 1281

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin generating internal Splunk logs.

CBegin reading local files on its server.

DSend an email to the operator that the installation process has completed.

Answer : B

Question 1282

Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of

users?

ALinked roles

BGrantable roles

CRole federation

DRole inheritance

Answer : D

You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

Question 1283

How is a remote monitor input distributed to forwarders?

AAs an app.

BAs a forward.conf file.

CAs a monitor.conf file.

DAs a forwarder monitor profile.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents

Question 1284

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

ADefault app

BLDAP group

CPassword

DUsername

Answer : A

Question 1285

Which artifact is required in the request header when creating an HTTP event?

AackID

BToken

CManifest

DHost name

Answer : B

Question 1286

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A_license

B_lnternal

C_external

D_thefishbucket

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 1287

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

AIndexer

BForwarder

CSearch head

DDeployment server

Answer : A

https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html

Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-p/93310

Question 1288

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

AfollowTail = -45d

Bignore = 45d

CincludeNewerThan = -35d

DignoreOlderThan = 45d

Answer : D

Question 1289

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin generating internal Splunk logs.

CBegin reading local files on its server.

DSend an email to the operator that the installation process has completed.

Answer : B

Question 1290

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

AApp Class

BClient Class

CServer Class

DForwarder Class

Answer : C

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 1291

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 1292

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A$SFLUNK_HOME/bin/scripts

B$SPLUNK_HOME/etc/apps/bin

C$SPLUNK_HOME/etc/system/bin

D$S?LUNK_HOME/etc/apps/<your_app>/bin_

Answer : A, C, D

'Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system:

$SPLUNK_HOME/etc/system/bin

$SPLUNK_HOME/etc/apps/<your_App>/bin

$SPLUNK_HOME/bin/scripts

As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system.'

Question 1293

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

Question 1294

What happens when the same username exists in Splunk as well as through LDAP?

ASplunk user is automatically deleted from authentication.conf.

BLDAP settings take precedence.

CSplunk settings take precedence.

DLDAP user is automatically deleted from authentication.conf

Answer : C

Question 1295

Which of the following types of data count against the license daily quota?

AReplicated data

Bsplunkd logs

CSummary index data

DWindows internal logs

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Distdeploylicenses#Clustered_deployments_and_licensing_issues

Question 1296

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

AOn Universal Forwarder, $SPLUNK_HOME/etc/apps

BOn Deployment Server, $SPLUNK_HOME/etc/apps

COn Deployment Server, $SPLUNK_HOME/etc/deployment-apps

DOn Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Answer : C

The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps.

The other options are incorrect because:

Question 1297

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 1298

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

AMap Users

BMap Groups

CMap LDAP Inheritance

DMap LDAP to Active Directory

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb

Question 1299

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 1300

How is a remote monitor input distributed to forwarders?

AAs an app.

BAs a forward.conf file.

CAs a monitor.conf file.

DAs a forwarder monitor profile.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents

Question 1301

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

ADisk

BCPUs

CMemory

DNetwork interface cards

Answer : B

https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCarchitecture

Question 1302

Which Splunk component requires a Forwarder license?

ASearch head

BHeavy forwarder

CHeaviest forwarder

DUniversal forwarder

Answer : B

Question 1303

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

Question 1304

Which feature of Splunk's role configuration can be used to aggregate multiple roles intended for groups of

users?

ALinked roles

BGrantable roles

CRole federation

DRole inheritance

Answer : D

You can have a role inherit certain properties from one or more existing role https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Aboutusersandroles

Question 1305

How do you remove missing forwarders from the Monitoring Console?

ABy restarting Splunk.

BBy rescanning active forwarders.

CBy reloading the deployment server.

DBy rebuilding the forwarder asset table.

Answer : D

Question 1306

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

AA token-based HTTP input that is secure and scalable and that requires the use of forwarders

BA token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

CAn agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

DA token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector

Question 1307

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 1308

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

ATo ensure that hot buckets are still open for writes and have not been forced to roll to a cold state

BTo ensure that configuration files have not been tampered with for auditing and/or legal purposes

CTo ensure that user passwords have not been tampered with for auditing and/or legal purposes.

DTo ensure that data has not been tampered with for auditing and/or legal purposes

Answer : D

Question 1309

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 1310

Which of the following is an acceptable channel value when using the HTTP Event Collector indexer acknowledgment capability?

AGUID

BDNS

CHash Checksum

DIP Address

Answer : A

The HTTP Event Collector (HEC) supports indexer acknowledgment to confirm event delivery. Each acknowledgment is associated with a unique GUID (Globally Unique Identifier).

GUID ensures events are not re-indexed in the case of retries.

Incorrect Options:

B, C, D: These are not valid channel values in HEC acknowledgments.

References:

Splunk Docs: Use indexer acknowledgment with HTTP Event Collector

Question 1311

When indexing a data source, which fields are considered metadata?

Asource, host, time

Btime, sourcetype, source

Chost, raw, sourcetype

Dsourcetype, source, host

Answer : D

Question 1312

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

AdiskQueueSize

BdurableQueueSize

CpersistentOueueSize

DqueueSize

Answer : C

Question 1313

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

Question 1314

Which of the methods listed below supports muti-factor authentication?

ALightweight Directory Access Protocol (LDAP)

BSecurity Assertion Markup Language (SAML)

CSingle Sign-on (SSO)

DOpenlD

Answer : B

Question 1315

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 1316

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

AAny OS platform

BLinux platform only

CWindows platform only.

DNone of the above.

Answer : A

'The forwarder/indexer relationship can be considered platform agnostic (within the sphere of supported platforms) because they exchange their data handshake (and the data, if you wish) over TCP.

Question 1317

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 1318

Which forwarder type can parse data prior to forwarding?

AUniversal forwarder

BHeaviest forwarder

CHyper forwarder

DHeavy forwarder

Answer : D

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Typesofforwarders

'A heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event.'

Question 1319

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

A_audit

B_checkpoint

C_introspection

D_thefishbucket

Answer : D

Question 1320

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

AUniversal forwarder

BParsing forwarder

CHeavy forwarder

DAdvanced forwarder

Answer : C

Question 1321

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

Question 1322

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 1323

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

AMAX_TIMESTAMP_L0CKAHEAD = 5

BMAX_TIMESTAMP_LOOKAHEAD - 10

CMAX_TIMESTAMF_LOOKHEAD = 20

DMAX TIMESTAMP LOOKAHEAD - 30

Answer : D

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Question 1324

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 1325

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

AfollowTail = -45d

Bignore = 45d

CincludeNewerThan = -35d

DignoreOlderThan = 45d

Answer : D

Question 1326

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 1327

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

A/var/log/messages

B/var/log/maillog

C/var/log/maillog and /var/log/messages

Dnone of the above

Answer : B

Question 1328

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

A21MB

B28MB

C14MB

D7MB

Answer : A

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata#:~:text=The%20default%20for%20the%20maxQueueSize,wait%20queue%20size%20is%2021MB.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata

Question 1329

When enabling data integrity control, where does Splunk Enterprise store the hash files for each bucket?

ASplunk Enterprise stores hash files in the logdata directory of the corresponding bucket.

BSplunk Enterprise stores hash files in the rawdata directory of the corresponding bucket.

CSplunk Enterprise stores hash files in the hashdata directory of the corresponding bucket.

DSplunk Enterprise stores hash files in the metadata directory of the corresponding bucket.

Answer : B

Data integrity controls in Splunk ensure that indexed data has not been tampered with.

When enabled, Splunk calculates hashes for each bucket and stores these hash files in the rawdata directory of the corresponding bucket.

Incorrect Options:

A, C, D: These directories do not store hash files.

References:

Splunk Docs: Configure data integrity controls

Question 1330

What is the correct example to redact a plain-text password from raw events?

Ain props.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Bin props.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Cin transforms.conf:
[identity]
SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Din transforms.conf:
[identity]
REGEX-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

Answer : B

The correct answer is B. in props.conf:

[identity]

SEDCMD-redact_pw = s/password=([^,|/s]+)/ ####REACTED####/g

s/password=([^,|/s]+)/ ####REACTED####/g

The g flag at the end means that the replacement is applied globally, not just to the first match.

Option A is incorrect because it uses the REGEX attribute instead of the SEDCMD attribute. The REGEX attribute is used to extract fields from events, not to modify them.

Option D is incorrect because it uses both the wrong attribute and the wrong file. There is no REGEX-redact_pw attribute in the transforms.conf file.

References: 1: Redact data from events - Splunk Documentation

Question 1331

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

ADuo Administrator

BLDAP Administrator

CSAML Administrator

DTrio Administrator

Answer : A

Question 1332

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

ADefault app

BLDAP group

CPassword

DUsername

Answer : A

Question 1333

Which of the following are reasons to create separate indexes? (Choose all that apply.)

ADifferent retention times.

BIncrease number of users.

CRestrict user permissions.

DFile organization.

Answer : A, C

Question 1334

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin generating internal Splunk logs.

CBegin reading local files on its server.

DSend an email to the operator that the installation process has completed.

Answer : B

Question 1335

Which file will be matched for the following monitor stanza in inputs. conf?

[monitor: ///var/log/*/bar/*. txt]

A/var/log/host_460352847/temp/bar/file/csv/foo.txt

B/var/log/host_460352847/bar/foo.txt

C/var/log/host_460352847/bar/file/foo.txt

D/var/ log/ host_460352847/temp/bar/file/foo.txt

Answer : C

The correct answer is C. /var/log/host_460352847/bar/file/foo.txt.

The monitor stanza in inputs.conf is used to configure Splunk to monitor files and directories for new data. The monitor stanza has the following syntax1:

[monitor://<input path>]

Therefore, the file /var/log/host_460352847/bar/file/foo.txt will be matched by the monitor stanza, as it meets the criteria. The other files will not be matched, because:

A . /var/log/host_460352847/temp/bar/file/csv/foo.txt has a .csv extension, not a .txt extension.

B . /var/log/host_460352847/bar/foo.txt is not located in a subdirectory under the bar directory, but directly in the bar directory.

D . /var/log/host_460352847/temp/bar/file/foo.txt is located in a subdirectory named file under the bar directory, not directly in the bar directory.

Question 1336

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

A_audit

B_checkpoint

C_introspection

D_thefishbucket

Answer : D

Question 1337

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 1338

What is the correct order of steps in Duo Multifactor Authentication?

A1 Request Login
2. Connect to SAML server
3 Duo MFA
4 Create User session
5 Authentication Granted 6. Log into Splunk

B1. Request Login 2 Duo MFA
3. Authentication Granted 4 Connect to SAML server
5. Log into Splunk
6. Create User session

C1 Request Login
2 Check authentication / group mapping
3 Authentication Granted
4. Duo MFA
5. Create User session
6. Log into Splunk

D1 Request Login 2 Duo MFA
3. Check authentication / group mapping
4 Create User session
5. Authentication Granted
6 Log into Splunk

Answer : C

Using the provided DUO/Splunk reference URL https://duo.com/docs/splunk

Scroll down to the Network Diagram section and note the following 6 similar steps

1 - SPlunk connection initiated

2 - Primary authentication

3 - Splunk connection established to Duo Security over TCP port 443

4 - Secondary authentication via Duo Security's service

5 - Splunk receives authentication response

6 - Splunk session logged in.

Question 1339

Which of the following statements describes how distributed search works?

AForwarders pull data from the search peers.

BSearch heads store a portion of the searchable data.

CThe search head dispatches searches to the search peers.

DSearch results are replicated within the indexer cluster.

Answer : C

URL https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Configuredistributedsearch

'To activate distributed search, you add search peers, or indexers, to a Splunk Enterprise instance that you desingate as a search head. You do this by specifying each search peer manually.'

Question 1340

When would the following command be used?

ATo verify' the integrity of a local index.

BTo verify the integrity of a SmartStore index.

CTo verify the integrity of a SmartStore bucket.

DTo verify the integrity of a local bucket.

Answer : D

Question 1341

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 1342

How can native authentication be disabled in Splunk?

ARemove the $SPLUNK_HOME/etc/passwd file

BCreate an empty $SPLUNK_HOME/etc/passwd file

CSet SPLUNK_AUTHENTICATION=false in splunk-launch.conf

DSet nativeAuthentication=false in authentication.conf

Answer : B

Question 1343

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 1344

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 1345

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 1346

Which of the following authentication types requires scripting in Splunk?

AADFS

BLDAP

CSAML

DRADIUS

Answer : D

https://answers.splunk.com/answers/131127/scripted-authentication.html

Question 1347

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 1348

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 1349

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

ADefault app

BLDAP group

CPassword

DUsername

Answer : A

Question 1350

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 1351

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 1352

Which of the following enables compression for universal forwarders in outputs. conf ?

AOption A

BOption B

COption C

DOption D

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

# Compression

# This example sends compressed events to the remote indexer.

# NOTE: Compression can be enabled TCP or SSL outputs only.

# The receiver input port should also have compression enabled.

[tcpout]

server = splunkServer.example.com:4433

compressed = true

Question 1353

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 1354

Which setting allows the configuration of Splunk to allow events to span over more than one line?

ASHOULD_LINEMERGE = true

BBREAK_ONLY_BEFORE_DATE = true

CBREAK_ONLY_BEFORE = <REGEX pattern>

DSHOULD_LINEMERGE = false

Answer : A

Question 1355

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 1356

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 1357

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 1358

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

ACLI

BEdit inputs . conf

CEdit forwarder.conf

DForwarder Management

Answer : A, B, D

https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/HowtoforwarddatatoSplunkEnterprise

Question 1359

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 1360

The LINE_BREAKER attribute is configured in which configuration file?

Aprops.conf

Bindexes.conf

Cinpucs.conf

Dtransforms.conf

Answer : A

Question 1361

What is the default character encoding used by Splunk during the input phase?

AUTF-8

BUTF-16

CEBCDIC

DISO 8859

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configurecharactersetencoding

Question 1362

Which valid bucket types are searchable? (select all that apply)

AHot buckets

BCold buckets

CWarm buckets

DFrozen buckets

Answer : A, B, C

Hot/warm/cold/thawed bucket types are searchable. Frozen isn't searchable because its either deleted at that state or archived.

Question 1363

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 1364

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 1365

Which artifact is required in the request header when creating an HTTP event?

AackID

BToken

CManifest

DHost name

Answer : B

Question 1366

Which file will be matched for the following monitor stanza in inputs. conf?

[monitor: ///var/log/*/bar/*. txt]

A/var/log/host_460352847/temp/bar/file/csv/foo.txt

B/var/log/host_460352847/bar/foo.txt

C/var/log/host_460352847/bar/file/foo.txt

D/var/ log/ host_460352847/temp/bar/file/foo.txt

Answer : C

The correct answer is C. /var/log/host_460352847/bar/file/foo.txt.

The monitor stanza in inputs.conf is used to configure Splunk to monitor files and directories for new data. The monitor stanza has the following syntax1:

[monitor://<input path>]

Therefore, the file /var/log/host_460352847/bar/file/foo.txt will be matched by the monitor stanza, as it meets the criteria. The other files will not be matched, because:

A . /var/log/host_460352847/temp/bar/file/csv/foo.txt has a .csv extension, not a .txt extension.

B . /var/log/host_460352847/bar/foo.txt is not located in a subdirectory under the bar directory, but directly in the bar directory.

D . /var/log/host_460352847/temp/bar/file/foo.txt is located in a subdirectory named file under the bar directory, not directly in the bar directory.

Question 1367

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

Question 1368

Immediately after installation, what will a Universal Forwarder do first?

AAutomatically detect any indexers in its subnet and begin routing data.

BBegin reading local files on its server.

CBegin generating internal Splunk logs.

DSend an email to the operator that the installation process has completed.

Answer : C

Question 1369

How is data handled by Splunk during the input phase of the data ingestion process?

AData is treated as streams.

BData is broken up into events.

CData is initially written to disk.

DData is measured by the license meter.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

'In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys.'

Question 1370

Which of the following statements describe deployment management? (select all that apply)

ARequires an Enterprise license

BIs responsible for sending apps to forwarders.

COnce used, is the only way to manage forwarders

DCan automatically restart the host OS running the forwarder.

Answer : A, B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%20requirements,do%20not%20index%20external%20data.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 1371

When are knowledge bundles distributed to search peers?

AAfter a user logs in.

BWhen Splunk is restarted.

CWhen adding a new search peer.

DWhen a distributed search is initiated.

Answer : D

Question 1372

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 1373

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 1374

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Aprops.conf

Bsourcetypes.conf

Ctransforms.conf

Doutputs.conf

Answer : A

Question 1375

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

AREGEX, DEST. FORMAT

BREGEX. SRC_KEY, FORMAT

CREGEX, DEST_KEY, FORMAT

DREGEX, DEST_KEY FORMATTING

Answer : C

REGEX = <regular expression>

* Enter a regular expression to operate on your data.

FORMAT = <string>

* This setting specifies the format of the event, including any field names or values you want to add.

DEST_KEY = <key>

* NOTE: This setting is only valid for index-time field extractions.

* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.

Question 1376

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

ABlacklist

BWhitelist

CThey cancel each other out.

DWhichever is entered into the configuration first.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdata

Question 1377

Which of the following is the use case for the deployment server feature of Splunk?

AManaging distributed workloads in a Splunk environment.

BAutomating upgrades of Splunk forwarder installations on endpoints.

COrchestrating the operations and scale of a containerized Splunk deployment.

DUpdating configuration and distributing apps to processing components, primarily forwarders.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 1378

Which of the following is a benefit of distributed search?

APeers run search in sequence.

BPeers run search in parallel.

CResilience from indexer failure.

DResilience from search head failure.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch

Question 1379

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 1380

Where should apps be located on the deployment server that the clients pull from?

A$SFLUNK_KOME/etc/apps

B$SPLUNK_HCME/etc/sear:ch

C$SPLUNK_HCME/etc/master-apps

D$SPLUNK HCME/etc/deployment-apps

Answer : D

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

Question 1381

Which of the following enables compression for universal forwarders in outputs. conf ?

AOption A

BOption B

COption C

DOption D

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf

# Compression

# This example sends compressed events to the remote indexer.

# NOTE: Compression can be enabled TCP or SSL outputs only.

# The receiver input port should also have compression enabled.

[tcpout]

server = splunkServer.example.com:4433

compressed = true

Question 1382

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

AIf Splunk is restarted, data will be queued and then sent when Splunk has restarted.

BLocal firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

CThe host value associated with data received will be the IP address that sent the data.

DIf Splunk is restarted, data may be lost.

Answer : D

Question 1383

When would the following command be used?

ATo verify' the integrity of a local index.

BTo verify the integrity of a SmartStore index.

CTo verify the integrity of a SmartStore bucket.

DTo verify the integrity of a local bucket.

Answer : D

Question 1384

How is data handled by Splunk during the input phase of the data ingestion process?

AData is treated as streams.

BData is broken up into events.

CData is initially written to disk.

DData is measured by the license meter.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

'In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys.'

Question 1385

Which of the following apply to how distributed search works? (select all that apply)

AThe search head dispatches searches to the peers

BThe search peers pull the data from the forwarders.

CPeers run searches in parallel and return their portion of results.

DThe search head consolidates the individual results and prepares reports

Answer : A, C, D

Question 1386

Which Splunk configuration file is used to enable data integrity checking?

Aprops.conf

Bglobal.conf

Cindexes.conf

Ddata_integrity.conf

Answer : C

Question 1387

How can native authentication be disabled in Splunk?

ARemove the $SPLUNK_HOME/etc/passwd file

BCreate an empty $SPLUNK_HOME/etc/passwd file

CSet SPLUNK_AUTHENTICATION=false in splunk-launch.conf

DSet nativeAuthentication=false in authentication.conf

Answer : B

Question 1388

Which data pipeline phase is the last opportunity for defining event boundaries?

AInput phase

BIndexing phase

CParsing phase

DSearch phase

Answer : C

Reference https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatapipeline

Question 1389

How do you remove missing forwarders from the Monitoring Console?

ABy restarting Splunk.

BBy rescanning active forwarders.

CBy reloading the deployment server.

DBy rebuilding the forwarder asset table.

Answer : D

Question 1390

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Aindex=main

Bindex=test

Cindex=summary

Dindex=_internal

Answer : D

Question 1391

What are the minimum required settings when creating a network input in Splunk?

AProtocol, port number

BProtocol, port, location

CProtocol, username, port

DProtocol, IP. port number

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf

[tcp://<remote server>:]

*Configures the input to listen on a specific TCP network port.

*If a <remote server> makes a connection to this instance, the input uses this stanza to configure itself.

*If you do not specify <remote server>, this stanza matches all connections on the specified port.

*Generates events with source set to 'tcp:', for example: tcp:514

*If you do not specify a sourcetype, generates events with sourcetype set to 'tcp-raw'

Question 1392

Which of the following statements describe deployment management? (select all that apply)

ARequires an Enterprise license

BIs responsible for sending apps to forwarders.

COnce used, is the only way to manage forwarders

DCan automatically restart the host OS running the forwarder.

Answer : A, B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%20requirements,do%20not%20index%20external%20data.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 1393

The universal forwarder has which capabilities when sending data? (select all that apply)

ASending alerts

BCompressing data

CObfuscating/hiding data

DIndexer acknowledgement

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%20data.

Question 1394

How often does Splunk recheck the LDAP server?

AEvery 5 minutes

BEach time a user logs in

CEach time Splunk is restarted

DVaries based on LDAP_refresh setting.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP

Question 1395

Which of the following are reasons to create separate indexes? (Choose all that apply.)

ADifferent retention times.

BIncrease number of users.

CRestrict user permissions.

DFile organization.

Answer : A, C

Question 1396

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

Question 1397

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

AMap Users

BMap Groups

CMap LDAP Inheritance

DMap LDAP to Active Directory

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb

Question 1398

Which of the following methods will connect a deployment client to a deployment server? (select all that apply)

ARun $SPLUNK_ROME/bin/ splunk set deploy-poll : from the command line of the deployment client.

BCreate and edit a deploymentserver . conf file in SSPLVNE{ on the deployment server.

CCreate and edit a deploymentclient . conf file in SSPLTJNE( EOME/etc/ system/local on the deployment client.

DRun $SPLUNK ROME/bin/spiunk set deploy-poi i : from the command line of the deployment server.

Answer : A, C

Question 1399

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 1400

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 1401

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 1402

A new forwarder has been installed with a manually created deploymentclient.conf.

What is the next step to enable the communication between the forwarder and the deployment server?

ARestart Splunk on the deployment server.

BEnable the deployment client in Splunk Web under Forwarder Management.

CRestart Splunk on the deployment client.

DWait for up to the time set in the phoneHomeIntervalInSecs setting.

Answer : C

Question 1403

Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)

ACLI

BEdit inputs . conf

CEdit forwarder.conf

DForwarder Management

Answer : A, B, D

https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/HowtoforwarddatatoSplunkEnterprise

Question 1404

Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?

AUpload option

BForward option

CMonitor option

DDownload option

Answer : A

Question 1405

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

A/var/log/messages

B/var/log/maillog

C/var/log/maillog and /var/log/messages

Dnone of the above

Answer : B

Question 1406

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

AIndexer

BForwarder

CSearch head

DDeployment server

Answer : A

https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html

Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-p/93310

Question 1407

In which phase do indexed extractions in props.conf occur?

AInputs phase

BParsing phase

CIndexing phase

DSearching phase

Answer : B

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

Configurationparametersandthedatapipeline

Question 1408

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 1409

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 1410

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Question 1411

There is a file with a vast amount of old dat

a. Which of the following inputs.conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?

AIgnoreOlderThan

BallowList

Cmonitor

DfollowTail

Answer : D

IgnoreOlderThan: This setting filters files for indexing based on their age. It does not prevent indexing of old data already in the file.

allowList: This setting allows specifying patterns to include files for monitoring, but it does not control indexing of pre-existing data.

monitor: This is the default method for monitoring files but does not address indexing pre-existing data.

References:

Splunk Docs: Monitor text files

Splunk Docs: Configure followTail in inputs.conf

Question 1412

Which of the following authentication types requires scripting in Splunk?

AADFS

BLDAP

CSAML

DRADIUS

Answer : D

https://answers.splunk.com/answers/131127/scripted-authentication.html

Question 1413

Which of the following statements describe deployment management? (select all that apply)

ARequires an Enterprise license

BIs responsible for sending apps to forwarders.

COnce used, is the only way to manage forwarders

DCan automatically restart the host OS running the forwarder.

Answer : A, B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%20requirements,do%20not%20index%20external%20data.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 1414

Which of the following are required when defining an index in indexes. conf? (select all that apply)

AcoldPath

BhomePath

CfrozenPath

DthawedPath

Answer : A, B, D

homePath = $SPLUNK_DB/hatchdb/db

coldPath = $SPLUNK_DB/hatchdb/colddb

thawedPath = $SPLUNK_DB/hatchdb/thaweddb

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

Question 1415

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Aindex=main

Bindex=test

Cindex=summary

Dindex=_internal

Answer : D

Question 1416

Consider the following stanza in inputs.conf:

What will the value of the source filed be for events generated by this scripts input?

A/opt/splunk/ecc/apps/search/bin/liscer.sh

Bunknown

Cliscer

Dliscer.sh

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Inputsconf

-Scroll down to source = <string>

*Default: the input file path

Question 1417

Which of the following is the use case for the deployment server feature of Splunk?

AManaging distributed workloads in a Splunk environment.

BAutomating upgrades of Splunk forwarder installations on endpoints.

COrchestrating the operations and scale of a containerized Splunk deployment.

DUpdating configuration and distributing apps to processing components, primarily forwarders.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 1418

Which artifact is required in the request header when creating an HTTP event?

AackID

BToken

CManifest

DHost name

Answer : B

Question 1419

ensure that the masking takes place successfully?

AMake sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

BFor source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

CMake sure that props . conf and transforms . conf are both present on the Universal Forwarder.

DPlace both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Answer : D

The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

References: 1: Redact data from events - Splunk Documentation 2: Where do I configure my Splunk settings? - Splunk Documentation

Question 1420

An admin updates the Role to Group mapping for external authentication. How does the change affect users that are currently logged into Splunk?

AUsers will continue to operate under their previous role until the next time they log into Splunk.

BSearch is disabled until users reauthenticate.

COnly newly created user accounts are affected by the role change.

DThe role update terminates the user's current session, and they have to log back in.

Answer : A

The changes to role mapping do not disrupt ongoing sessions.

Incorrect Options:

B: Search is not disabled upon role updates.

C: This is incorrect since existing users are also updated upon the next login.

D: Role updates do not terminate ongoing sessions.

References:

Splunk Docs: Configure user authentication

Question 1421

The universal forwarder has which capabilities when sending data? (select all that apply)

ASending alerts

BCompressing data

CObfuscating/hiding data

DIndexer acknowledgement

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%20data.

Question 1422

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

A/var/log/messages

B/var/log/maillog

C/var/log/maillog and /var/log/messages

Dnone of the above

Answer : B

Question 1423

Which of the following types of data count against the license daily quota?

AReplicated data

Bsplunkd logs

CSummary index data

DWindows internal logs

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Distdeploylicenses#Clustered_deployments_and_licensing_issues

Question 1424

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

Ahost

Bindex

Clinecount

Dsplunk_server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Knowledge/Usedefaultfields splunk_server

Question 1425

What happens when there are conflicting settings within two or more configuration files?

AThe setting is ignored until conflict is resolved.

BThe setting for both values will be used together.

CThe setting with the lowest precedence is used.

DThe setting with the highest precedence is used.

Answer : D

Question 1426

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

AMAX_TIMESTAMP_L0CKAHEAD = 5

BMAX_TIMESTAMP_LOOKAHEAD - 10

CMAX_TIMESTAMF_LOOKHEAD = 20

DMAX TIMESTAMP LOOKAHEAD - 30

Answer : D

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Question 1427

Which is a valid stanza for a network input?

A[udp://172.16.10.1:9997]
connection = dns
sourcetype = dns

B[any://172.16.10.1:10001]
connection_host = ip
sourcetype = web

C[tcp://172.16.10.1:9997]
connection_host = web
sourcetype = web

D[tcp://172.16.10.1:10001]
connection_host = dns
sourcetype = dns

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports

Bypassautomaticsourcetypeassignment

Question 1428

Which of the following statements describe deployment management? (select all that apply)

ARequires an Enterprise license

BIs responsible for sending apps to forwarders.

COnce used, is the only way to manage forwarders

DCan automatically restart the host OS running the forwarder.

Answer : A, B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%20requirements,do%20not%20index%20external%20data.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 1429

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 1430

What are the minimum required settings when creating a network input in Splunk?

AProtocol, port number

BProtocol, port, location

CProtocol, username, port

DProtocol, IP. port number

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf

[tcp://<remote server>:]

*Configures the input to listen on a specific TCP network port.

*If a <remote server> makes a connection to this instance, the input uses this stanza to configure itself.

*If you do not specify <remote server>, this stanza matches all connections on the specified port.

*Generates events with source set to 'tcp:', for example: tcp:514

*If you do not specify a sourcetype, generates events with sourcetype set to 'tcp-raw'

Question 1431

In which phase of the index time process does the license metering occur?

Ainput phase

BParsing phase

CIndexing phase

DLicensing phase

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks

Question 1432

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 1433

Event processing occurs at which phase of the data pipeline?

ASearch

BIndexing

CParsing

DInput

Answer : C

Question 1434

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

Question 1435

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 1436

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 1437

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 1438

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 1439

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 1440

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?

AIt does not encrypt the certificate password.

BSSL automatically compresses the feed by default.

CIt requires that the forwarder be set to compressed=true.

DIt requires that the receiver be set to compression=true.

Answer : A

AboutsecuringyourSplunkconfigurationwithSSL

Question 1441

How is data handled by Splunk during the input phase of the data ingestion process?

AData is treated as streams.

BData is broken up into events.

CData is initially written to disk.

DData is measured by the license meter.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

'In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys.'

Question 1442

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

Question 1443

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 1444

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

Question 1445

Which of the following types of data count against the license daily quota?

AReplicated data

Bsplunkd logs

CSummary index data

DWindows internal logs

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.3/Admin/Distdeploylicenses#Clustered_deployments_and_licensing_issues

Question 1446

How often does Splunk recheck the LDAP server?

AEvery 5 minutes

BEach time a user logs in

CEach time Splunk is restarted

DVaries based on LDAP_refresh setting.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP

Question 1447

What is the default value of LINE_BREAKER?

A\r\n

B([\r\n]+)

C\r+\n+

D(\r\n+)

Answer : B

Question 1448

Where are license files stored?

A$SPLUNK_HOME/etc/secure

B$SPLUNK_HOME/etc/system

C$SPLUNK_HOME/etc/licenses

D$SPLUNK_HOME/etc/apps/licenses

Answer : C

Question 1449

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 1450

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 1451

Which of the following are supported options when configuring optional network inputs?

AMetadata override, sender filtering options, network input queues (quantum queues)

BMetadata override, sender filtering options, network input queues (memory/persistent queues)

CFilename override, sender filtering options, network output queues (memory/persistent queues)

DMetadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question 1452

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?

ATrue

BFalse

C<regex string>

DNewline Character

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking

Attribute : SHOULD_LINEMERGE = [true|false]

Description : When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.

Question 1453

Which data pipeline phase is the last opportunity for defining event boundaries?

AInput phase

BIndexing phase

CParsing phase

DSearch phase

Answer : C

Reference https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/Configurationparametersandthedatapipeline

Question 1454

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

AApp Class

BClient Class

CServer Class

DForwarder Class

Answer : C

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 1455

In which phase do indexed extractions in props.conf occur?

AInputs phase

BParsing phase

CIndexing phase

DSearching phase

Answer : B

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

Configurationparametersandthedatapipeline

Question 1456

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

ADefault app

BLDAP group

CPassword

DUsername

Answer : A

Question 1457

Which of the following are reasons to create separate indexes? (Choose all that apply.)

ADifferent retention times.

BIncrease number of users.

CRestrict user permissions.

DFile organization.

Answer : A, C

Question 1458

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

ALDAP

BSAML

CRADIUS

DDuo Multifactor Authentication

Answer : A, B, C

Question 1459

When does a warm bucket roll over to a cold bucket?

AWhen Splunk is restarted.

BWhen the maximum warm bucket age has been reached.

CWhen the maximum warm bucket size has been reached.

DWhen the maximum number of warm buckets is reached.

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Indexer/HowSplunkstoresindexes

166653

Question 1460

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?

AEnable indexer acknowledgment.

BEnable forwarder acknowledgment.

Csplunk check-integrity -index <index name>

Dindex=_internal component=ACK | stats count by host

Answer : A

Per the provided Splunk reference URL

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Reference https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/AboutHECIDXAck

Question 1461

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting

up Duo for Multi-Factor Authentication in Splunk Enterprise?

ADuo Administrator

BLDAP Administrator

CSAML Administrator

DTrio Administrator

Answer : A

Question 1462

What happens when there are conflicting settings within two or more configuration files?

AThe setting is ignored until conflict is resolved.

BThe setting for both values will be used together.

CThe setting with the lowest precedence is used.

DThe setting with the highest precedence is used.

Answer : D

Question 1463

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 1464

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

A21MB

B28MB

C14MB

D7MB

Answer : A

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata#:~:text=The%20default%20for%20the%20maxQueueSize,wait%20queue%20size%20is%2021MB.

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Protectagainstlossofin-flightdata

Question 1465

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

AIndex once.

BMonitor interval.

COn-demand monitor.

DContinuously monitor.

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

Question 1466

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A$SFLUNK_HOME/bin/scripts

B$SPLUNK_HOME/etc/apps/bin

C$SPLUNK_HOME/etc/system/bin

D$S?LUNK_HOME/etc/apps/<your_app>/bin_

Answer : A, C, D

'Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system:

$SPLUNK_HOME/etc/system/bin

$SPLUNK_HOME/etc/apps/<your_App>/bin

$SPLUNK_HOME/bin/scripts

As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system.'

Question 1467

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

Question 1468

An admin updates the Role to Group mapping for external authentication. How does the change affect users that are currently logged into Splunk?

AUsers will continue to operate under their previous role until the next time they log into Splunk.

BSearch is disabled until users reauthenticate.

COnly newly created user accounts are affected by the role change.

DThe role update terminates the user's current session, and they have to log back in.

Answer : A

The changes to role mapping do not disrupt ongoing sessions.

Incorrect Options:

B: Search is not disabled upon role updates.

C: This is incorrect since existing users are also updated upon the next login.

D: Role updates do not terminate ongoing sessions.

References:

Splunk Docs: Configure user authentication

Question 1469

Which artifact is required in the request header when creating an HTTP event?

AackID

BToken

CManifest

DHost name

Answer : B

Question 1470

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

AIndexer

BForwarder

CSearch head

DDeployment server

Answer : A

https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html

Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-p/93310

Question 1471

Event processing occurs at which phase of the data pipeline?

ASearch

BIndexing

CParsing

DInput

Answer : C

Question 1472

When enabling data integrity control, where does Splunk Enterprise store the hash files for each bucket?

ASplunk Enterprise stores hash files in the logdata directory of the corresponding bucket.

BSplunk Enterprise stores hash files in the rawdata directory of the corresponding bucket.

CSplunk Enterprise stores hash files in the hashdata directory of the corresponding bucket.

DSplunk Enterprise stores hash files in the metadata directory of the corresponding bucket.

Answer : B

Data integrity controls in Splunk ensure that indexed data has not been tampered with.

When enabled, Splunk calculates hashes for each bucket and stores these hash files in the rawdata directory of the corresponding bucket.

Incorrect Options:

A, C, D: These directories do not store hash files.

References:

Splunk Docs: Configure data integrity controls

Question 1473

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

AIf Splunk is restarted, data will be queued and then sent when Splunk has restarted.

BLocal firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

CThe host value associated with data received will be the IP address that sent the data.

DIf Splunk is restarted, data may be lost.

Answer : D

Question 1474

Which layers are involved in Splunk configuration file layering? (select all that apply)

AApp context

BUser context

CGlobal context

DForwarder context

Answer : A, B, C

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Question 1475

Which Splunk component does a search head primarily communicate with?

AIndexer

BForwarder

CCluster master

DDeployment server

Answer : A

Question 1476

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

AApp Class

BClient Class

CServer Class

DForwarder Class

Answer : C

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 1477

Which of the following is a benefit of distributed search?

APeers run search in sequence.

BPeers run search in parallel.

CResilience from indexer failure.

DResilience from search head failure.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/DistSearch/Whatisdistributedsearch

Question 1478

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

AMap Users

BMap Groups

CMap LDAP Inheritance

DMap LDAP to Active Directory

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb

Question 1479

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Aprops.conf

Bsourcetypes.conf

Ctransforms.conf

Doutputs.conf

Answer : A

Question 1480

How is a remote monitor input distributed to forwarders?

AAs an app.

BAs a forward.conf file.

CAs a monitor.conf file.

DAs a forwarder monitor profile.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents

Question 1481

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations

found in props.conf to be validated all through the UI?

AApps

BSearch

CData preview

DForwarder inputs

Answer : C

http://www.splunk.com/view/SP-CAAAGPR

Question 1482

Which of the following are supported options when configuring optional network inputs?

AMetadata override, sender filtering options, network input queues (quantum queues)

BMetadata override, sender filtering options, network input queues (memory/persistent queues)

CFilename override, sender filtering options, network output queues (memory/persistent queues)

DMetadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question 1483

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

A/var/log/messages

B/var/log/maillog

C/var/log/maillog and /var/log/messages

Dnone of the above

Answer : B

Question 1484

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 1485

Which of the following are reasons to create separate indexes? (Choose all that apply.)

ADifferent retention times.

BIncrease number of users.

CRestrict user permissions.

DFile organization.

Answer : A, C

Question 1486

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 1487

What is required when adding a native user to Splunk? (select all that apply)

APassword

BUsername

CFull Name

DDefault app

Answer : A, B

According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED

Question 1488

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 1489

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

AThe blacklist takes precedence over the whitelist.

BThe whitelist takes precedence over the blacklist.

CWildcards are not supported in any client filters.

DMachine type filters are applied before the whitelist and blacklist.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

same/td-p/390910

Question 1490

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

Question 1491

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 1492

Event:

[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309

ASEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g

BSEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g

CSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g

DSEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Anonymizedata

Scrolling down to the section titled 'Define the sed script in props.conf shows the correct syntax of an example which validates that the number/character /1 immediately preceded the /g

Question 1493

What is the default value of LINE_BREAKER?

A\r\n

B([\r\n]+)

C\r+\n+

D(\r\n+)

Answer : B

Question 1494

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

AApp Class

BClient Class

CServer Class

DForwarder Class

Answer : C

<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>

https://docs.splunk.com/Splexicon:Serverclass

Question 1495

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A$SFLUNK_HOME/bin/scripts

B$SPLUNK_HOME/etc/apps/bin

C$SPLUNK_HOME/etc/system/bin

D$S?LUNK_HOME/etc/apps/<your_app>/bin_

Answer : A, C, D

'Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system:

$SPLUNK_HOME/etc/system/bin

$SPLUNK_HOME/etc/apps/<your_App>/bin

$SPLUNK_HOME/bin/scripts

As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system.'

Question 1496

Which of the following is a valid distributed search group?

A[distributedSearch:Paris] default = false servers = server1, server2

B[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Answer : D

https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Distributedsearchgroups

Question 1497

How often does Splunk recheck the LDAP server?

AEvery 5 minutes

BEach time a user logs in

CEach time Splunk is restarted

DVaries based on LDAP_refresh setting.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP

Question 1498

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 1499

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 1500

When indexing a data source, which fields are considered metadata?

Asource, host, time

Btime, sourcetype, source

Chost, raw, sourcetype

Dsourcetype, source, host

Answer : D

Question 1501

Which of the following statements apply to directory inputs? {select all that apply)

AAll discovered text files are consumed.

BCompressed files are ignored by default

CSplunk recursively traverses through the directory structure.

DWhen adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer : A, C

Question 1502

Which of the following monitor inputs stanza headers would match all of the following files?

/var/log/www1/secure.log

/var/log/www/secure.l

/var/log/www/logs/secure.logs

/var/log/www2/secure.log

A[monitor:///var/log/.../secure.*

B[monitor:///var/log/www1/secure.*]

C[monitor:///var/log/www1/secure.log]

D[monitor:///var/log/www*/secure.*]

Answer : C

Question 1503

Consider the following stanza in inputs.conf:

What will the value of the source filed be for events generated by this scripts input?

A/opt/splunk/ecc/apps/search/bin/liscer.sh

Bunknown

Cliscer

Dliscer.sh

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Inputsconf

-Scroll down to source = <string>

*Default: the input file path

Question 1504

After how many warnings within a rolling 30-day period will a license violation occur with an enforced

Enterprise license?

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Aboutlicenseviolations

Question 1505

How is data handled by Splunk during the input phase of the data ingestion process?

AData is treated as streams.

BData is broken up into events.

CData is initially written to disk.

DData is measured by the license meter.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

'In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys.'

Question 1506

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

AAny OS platform

BLinux platform only

CWindows platform only.

DNone of the above.

Answer : A

'The forwarder/indexer relationship can be considered platform agnostic (within the sphere of supported platforms) because they exchange their data handshake (and the data, if you wish) over TCP.

Question 1507

When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?

ANothing changes.

BThe peer-apps local directory becomes the highest priority.

CThe app local directories move to second in the priority list.

DThe system default directory' becomes the highest priority.

Answer : C

The app local directories move to second in the priority list. This is explained in the Splunk documentation, which states:

Question 1508

What action is required to enable forwarder management in Splunk Web?

ANavigate to Settings > Server Settings > General Settings, and set an App server port.

BNavigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

CCreate a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

DPlace an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Answer : C

https://docs.splunk.com/Documentation/MSApp/2.0.3/MSInfra/Setupadeploymentserver

Question 1509

When enabling data integrity control, where does Splunk Enterprise store the hash files for each bucket?

ASplunk Enterprise stores hash files in the logdata directory of the corresponding bucket.

BSplunk Enterprise stores hash files in the rawdata directory of the corresponding bucket.

CSplunk Enterprise stores hash files in the hashdata directory of the corresponding bucket.

DSplunk Enterprise stores hash files in the metadata directory of the corresponding bucket.

Answer : B

Data integrity controls in Splunk ensure that indexed data has not been tampered with.

When enabled, Splunk calculates hashes for each bucket and stores these hash files in the rawdata directory of the corresponding bucket.

Incorrect Options:

A, C, D: These directories do not store hash files.

References:

Splunk Docs: Configure data integrity controls

Question 1510

Which Splunk component does a search head primarily communicate with?

AIndexer

BForwarder

CCluster master

DDeployment server

Answer : A

Question 1511

When using license pools, volume allocations apply to which Splunk components?

AIndexers

BIndexes

CHeavy Forwarders

DSearch Heads

Answer : A

Question 1512

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 1513

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 1514

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 1515

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 1516

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?

Aindex=main

Bindex=test

Cindex=summary

Dindex=_internal

Answer : D

Question 1517

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Question 1518

Which of the following is accurate regarding the input phase?

ABreaks data into events with timestamps.

BApplies event-level transformations.

CFine-tunes metadata.

DPerforms character encoding.

Answer : D

Question 1519

How is a remote monitor input distributed to forwarders?

AAs an app.

BAs a forward.conf file.

CAs a monitor.conf file.

DAs a forwarder monitor profile.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Usingforwardingagents

Question 1520

Which of the following apply to how distributed search works? (select all that apply)

AThe search head dispatches searches to the peers

BThe search peers pull the data from the forwarders.

CPeers run searches in parallel and return their portion of results.

DThe search head consolidates the individual results and prepares reports

Answer : A, C, D

Question 1521

Which of the methods listed below supports muti-factor authentication?

ALightweight Directory Access Protocol (LDAP)

BSecurity Assertion Markup Language (SAML)

CSingle Sign-on (SSO)

DOpenlD

Answer : B

Question 1522

When running a real-time search, search results are pulled from which Splunk component?

AHeavy forwarders and search peers

BHeavy forwarders

CSearch heads

DSearch peers

Answer : D

Using the Splunk reference URL https://docs.splunk.com/Splexicon:Searchpeer

Question 1523

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 1524

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Aprops.conf

Binputs.conf

Crawdata.conf

Dtransforms.conf

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms

use transformations with props.conf and transforms.conf to:

-- Mask or delete raw data as it is being indexed

--Override sourcetype or host based upon event values

-- Route events to specific indexes based on event content

-- Prevent unwanted events from being indexed

Question 1525

Which Splunk component does a search head primarily communicate with?

AIndexer

BForwarder

CCluster master

DDeployment server

Answer : A

Question 1526

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

AIndexer

BDeployer

CForwarder

DDeployment server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations

First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 1527

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 1528

Which setting allows the configuration of Splunk to allow events to span over more than one line?

ASHOULD_LINEMERGE = true

BBREAK_ONLY_BEFORE_DATE = true

CBREAK_ONLY_BEFORE = <REGEX pattern>

DSHOULD_LINEMERGE = false

Answer : A

Question 1529

Which artifact is required in the request header when creating an HTTP event?

AackID

BToken

CManifest

DHost name

Answer : B

Question 1530

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

ASlash notation

BRegular expression

CIrregular expression

DWildcard-only expression

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data

Question 1531

Which of the following is valid distribute search group?

Aoption A

BOption B

COption C

DOption D

Answer : D

Question 1532

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

AIndex once.

BMonitor interval.

COn-demand monitor.

DContinuously monitor.

Answer : A, D

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata

Question 1533

ensure that the masking takes place successfully?

AMake sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

BFor source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

CMake sure that props . conf and transforms . conf are both present on the Universal Forwarder.

DPlace both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Answer : D

The correct answer is D. Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

References: 1: Redact data from events - Splunk Documentation 2: Where do I configure my Splunk settings? - Splunk Documentation

Question 1534

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

AA token-based HTTP input that is secure and scalable and that requires the use of forwarders

BA token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

CAn agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

DA token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector

Question 1535

Which of the following applies only to Splunk index data integrity check?

ALookup table

BSummary Index

CRaw data in the index

DData model acceleration

Answer : C

Question 1536

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

Question 1537

AIndexer

BDeployment server

CUniversal forwarder

DSearch head

Answer : D

Question 1538

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

Aprops.conf

Binputs.conf

Coutputs.conf

Dcollections.conf

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.1/DistSearch/Forwardsearchheaddata

Question 1539

Within props. conf, which stanzas are valid for data modification? (select all that apply)

AHost

BServer

CSource

DSourcetype

Answer : A, C, D

https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf

'* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts.' https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec

Question 1540

What happens when the same username exists in Splunk as well as through LDAP?

ASplunk user is automatically deleted from authentication.conf.

BLDAP settings take precedence.

CSplunk settings take precedence.

DLDAP user is automatically deleted from authentication.conf

Answer : C

Question 1541

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A_license

B_lnternal

C_external

D_thefishbucket

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 1542

How often does Splunk recheck the LDAP server?

AEvery 5 minutes

BEach time a user logs in

CEach time Splunk is restarted

DVaries based on LDAP_refresh setting.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP

Question 1543

An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data

is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the

index?

ABuy a bigger Splunk license.

BAdd 2.5 TB each day for the next 5 days.

CAdd all 10 TB in a single 24 hour period.

DAdd 200 GB of historical data each day for 50 days.

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.1.2/Admin/Aboutlicenseviolations

'An Enterprise license stack with a license volume of 100 GB of data per day or more does not currently violate.'

Question 1544

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 1545

Which Splunk configuration file is used to enable data integrity checking?

Aprops.conf

Bglobal.conf

Cindexes.conf

Ddata_integrity.conf

Answer : C

Question 1546

In which phase do indexed extractions in props.conf occur?

AInputs phase

BParsing phase

CIndexing phase

DSearching phase

Answer : B

The following items in the phases below are listed in the order Splunk applies them (ie LINE_BREAKER occurs before TRUNCATE).

Input phase

inputs.conf

props.conf

CHARSET

NO_BINARY_CHECK

CHECK_METHOD

CHECK_FOR_HEADER (deprecated)

PREFIX_SOURCETYPE

sourcetype

wmi.conf

regmon-filters.conf

Structured parsing phase

props.conf

INDEXED_EXTRACTIONS, and all other structured data header extractions

Parsing phase

props.conf

LINE_BREAKER, TRUNCATE, SHOULD_LINEMERGE, BREAK_ONLY_BEFORE_DATE, and all other line merging settings

TIME_PREFIX, TIME_FORMAT, DATETIME_CONFIG (datetime.xml), TZ, and all other time extraction settings and rules

TRANSFORMS which includes per-event queue filtering, per-event index assignment, per-event routing

SEDCMD

MORE_THAN, LESS_THAN

transforms.conf

stanzas referenced by a TRANSFORMS clause in props.conf

LOOKAHEAD, DEST_KEY, WRITE_META, DEFAULT_VALUE, REPEAT_MATCH

Configurationparametersandthedatapipeline

Question 1547

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 1548

During search time, which directory of configuration files has the highest precedence?

A$SFLUNK_KOME/etc/system/local

B$SPLUNK_KCME/etc/system/default

C$SPLUNK_HCME/etc/apps/app1/local

D$SPLUNK HCME/etc/users/admin/local

Answer : D

Adding further clarity and quoting same Splunk reference URL from @giubal'

1.Slave-app local directories -- highest priority

2. System local directory

3. App local directories

4. Slave-app default directories

5. App default directories

6. System default directory --lowest priority

Question 1549

What is the correct curl to send multiple events through HTTP Event Collector?

AOption A

BOption B

COption C

DOption D

Answer : B

Question 1550

Which of the following are supported options when configuring optional network inputs?

AMetadata override, sender filtering options, network input queues (quantum queues)

BMetadata override, sender filtering options, network input queues (memory/persistent queues)

CFilename override, sender filtering options, network output queues (memory/persistent queues)

DMetadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question 1551

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best?

Event example:

AMAX_TIMESTAMP_L0CKAHEAD = 5

BMAX_TIMESTAMP_LOOKAHEAD - 10

CMAX_TIMESTAMF_LOOKHEAD = 20

DMAX TIMESTAMP LOOKAHEAD - 30

Answer : D

https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition

Question 1552

On the deployment server, administrators can map clients to server classes using client filters. Which of the

following statements is accurate?

AThe blacklist takes precedence over the whitelist.

BThe whitelist takes precedence over the blacklist.

CWildcards are not supported in any client filters.

DMachine type filters are applied before the whitelist and blacklist.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.1/Updating/Filterclients

same/td-p/390910

Question 1553

Which of the following is a valid distributed search group?

A[distributedSearch:Paris] default = false servers = server1, server2

B[searchGroup:Paris] default = false servers = server1:8089, server2:8089

C[searchGroup:Paris] default = false servers = server1:9997, server2:9997

D[distributedSearch:Paris] default = false servers = server1:8089; server2:8089

Answer : D

https://docs.splunk.com/Documentation/Splunk/9.0.0/DistSearch/Distributedsearchgroups

Question 1554

The following stanzas in inputs. conf are currently being used by a deployment client:

[udp: //145.175.118.177:1001

Connection_host = dns

sourcetype = syslog

Which of the following statements is true of data that is received via this input?

AIf Splunk is restarted, data will be queued and then sent when Splunk has restarted.

BLocal firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf.

CThe host value associated with data received will be the IP address that sent the data.

DIf Splunk is restarted, data may be lost.

Answer : D

Question 1555

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 1556

Which layers are involved in Splunk configuration file layering? (select all that apply)

AApp context

BUser context

CGlobal context

DForwarder context

Answer : A, B, C

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Question 1557

Which of the following are reasons to create separate indexes? (Choose all that apply.)

ADifferent retention times.

BIncrease number of users.

CRestrict user permissions.

DFile organization.

Answer : A, C

Question 1558

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?

A_TCP_ROUTING

B_INDEXER_LIST

C_INDEXER_GROUP

D_INDEXER ROUTING

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_selective_indexing_and_forwarding

Question 1559

Which of the following must be done to define user permissions when integrating Splunk with LDAP?

AMap Users

BMap Groups

CMap LDAP Inheritance

DMap LDAP to Active Directory

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.3/Security/ConfigureLDAPwithSplunkWeb

Question 1560

An admin updates the Role to Group mapping for external authentication. How does the change affect users that are currently logged into Splunk?

AUsers will continue to operate under their previous role until the next time they log into Splunk.

BSearch is disabled until users reauthenticate.

COnly newly created user accounts are affected by the role change.

DThe role update terminates the user's current session, and they have to log back in.

Answer : A

The changes to role mapping do not disrupt ongoing sessions.

Incorrect Options:

B: Search is not disabled upon role updates.

C: This is incorrect since existing users are also updated upon the next login.

D: Role updates do not terminate ongoing sessions.

References:

Splunk Docs: Configure user authentication

Question 1561

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

A_audit

B_checkpoint

C_introspection

D_thefishbucket

Answer : D

Question 1562

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

AfollowTail = -45d

Bignore = 45d

CincludeNewerThan = -35d

DignoreOlderThan = 45d

Answer : D

Question 1563

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

AAllows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

BAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

CAllows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

DAllows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Deploymentserverarchitecture

'A deployment client is a Splunk instance remotely configured by a deployment server'.

Question 1564

Which of the following is an acceptable channel value when using the HTTP Event Collector indexer acknowledgment capability?

AGUID

BDNS

CHash Checksum

DIP Address

Answer : A

The HTTP Event Collector (HEC) supports indexer acknowledgment to confirm event delivery. Each acknowledgment is associated with a unique GUID (Globally Unique Identifier).

GUID ensures events are not re-indexed in the case of retries.

Incorrect Options:

B, C, D: These are not valid channel values in HEC acknowledgments.

References:

Splunk Docs: Use indexer acknowledgment with HTTP Event Collector

Question 1565

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A$SFLUNK_HOME/bin/scripts

B$SPLUNK_HOME/etc/apps/bin

C$SPLUNK_HOME/etc/system/bin

D$S?LUNK_HOME/etc/apps/<your_app>/bin_

Answer : A, C, D

'Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system:

$SPLUNK_HOME/etc/system/bin

$SPLUNK_HOME/etc/apps/<your_App>/bin

$SPLUNK_HOME/bin/scripts

As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system.'

Question 1566

AThe receiving port is not properly setup to listen on the right port.

BThe inputs . conf'S _SYSZOG_ROVTING is not setup to use the right group names.

CThe DNS record used is not setup with a valid list of IP addresses.

DThe indexAndForward value is not set properly.

Answer : A, C

Question 1567

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ---debug. What will the output be?

Alist of all the configurations on-disk that Splunk contains.

BA verbose list of all configurations as they were when splunkd started.

CA list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

DA list of the current running props, conf configurations along with a file path from which the configuration was made

Answer : C

https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootconfigurations

'The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings.'

Question 1568

Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)

ALDAP

BSAML

CRADIUS

DDuo Multifactor Authentication

Answer : A, B, C

Question 1569

What is the default value of LINE_BREAKER?

A\r\n

B([\r\n]+)

C\r+\n+

D(\r\n+)

Answer : B

Question 1570

Which default Splunk role could be assigned to provide users with the following capabilities?

Create saved searches

Edit shared objects and alerts

Not allowed to create custom roles

Aadmin

Bpower

Cuser

Dsplunk-system-role

Answer : B

Question 1571

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

AIndexer

BDeployer

CForwarder

DDeployment server

Answer : D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations

First line says it all: 'The deployment server distributes deployment apps to clients.'

Question 1572

User role inheritance allows what to be inherited from the parent role? (select all that apply)

AParents

BCapabilities

CIndex access

DSearch history

Answer : B, C

https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance

https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities

Question 1573

Which forwarder type can parse data prior to forwarding?

AUniversal forwarder

BHeaviest forwarder

CHyper forwarder

DHeavy forwarder

Answer : D

https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Typesofforwarders

'A heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event.'

Question 1574

Where should apps be located on the deployment server that the clients pull from?

A$SFLUNK_KOME/etc/apps

B$SPLUNK_HCME/etc/sear:ch

C$SPLUNK_HCME/etc/master-apps

D$SPLUNK HCME/etc/deployment-apps

Answer : D

After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients. But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.

Question 1575

Which Splunk forwarder has a built-in license?

ALight forwarder

BHeavy forwarder

CUniversal forwarder

DCloud forwarder

Answer : C

Question 1576

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

AdiskQueueSize

BdurableQueueSize

CpersistentOueueSize

DqueueSize

Answer : C

Question 1577

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A$SFLUNK_HOME/bin/scripts

B$SPLUNK_HOME/etc/apps/bin

C$SPLUNK_HOME/etc/system/bin

D$S?LUNK_HOME/etc/apps/<your_app>/bin_

Answer : A, C, D

'Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system:

$SPLUNK_HOME/etc/system/bin

$SPLUNK_HOME/etc/apps/<your_App>/bin

$SPLUNK_HOME/bin/scripts

As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system.'

Question 1578

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Aprops.conf

Bsourcetypes.conf

Ctransforms.conf

Doutputs.conf

Answer : A

Question 1579

Which parent directory contains the configuration files in Splunk?

ASSFLUNK_HOME/etc

BSSPLUNK_HOME/var

CSSPLUNK_HOME/conf

DSSPLUNK_HOME/default

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

Question 1580

What is the default character encoding used by Splunk during the input phase?

AUTF-8

BUTF-16

CEBCDIC

DISO 8859

Answer : A

https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configurecharactersetencoding

Question 1581

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

Asplunk btool server list --debug

Bsplunk list forward-indexer

Csplunk list forward-server

Dsplunk btool indexes list --debug

Answer : C

Question 1582

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

AIndexer

BForwarder

CSearch head

DDeployment server

Answer : A

https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html

Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-p/93310

Question 1583

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 1584

When indexing a data source, which fields are considered metadata?

Asource, host, time

Btime, sourcetype, source

Chost, raw, sourcetype

Dsourcetype, source, host

Answer : D

Question 1585

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

Question 1586

Which of the following statements describe deployment management? (select all that apply)

ARequires an Enterprise license

BIs responsible for sending apps to forwarders.

COnce used, is the only way to manage forwarders

DCan automatically restart the host OS running the forwarder.

Answer : A, B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%20requirements,do%20not%20index%20external%20data.

https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver

'The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances.'

Question 1587

Which of the following are required when defining an index in indexes. conf? (select all that apply)

AcoldPath

BhomePath

CfrozenPath

DthawedPath

Answer : A, B, D

homePath = $SPLUNK_DB/hatchdb/db

coldPath = $SPLUNK_DB/hatchdb/colddb

thawedPath = $SPLUNK_DB/hatchdb/thaweddb

https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf

https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

Question 1588

Which of the following is accurate regarding the input phase?

ABreaks data into events with timestamps.

BApplies event-level transformations.

CFine-tunes metadata.

DPerforms character encoding.

Answer : D

Question 1589

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

AIndexers, search head, universal forwarders, license master

BIndexers, search head, deployment server, universal forwarders

CIndexers, search head, deployment server, license master, universal forwarder

DIndexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Answer : C

Question 1590

The universal forwarder has which capabilities when sending data? (select all that apply)

ASending alerts

BCompressing data

CObfuscating/hiding data

DIndexer acknowledgement

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%20data.

Question 1591

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

AOn Universal Forwarder, $SPLUNK_HOME/etc/apps

BOn Deployment Server, $SPLUNK_HOME/etc/apps

COn Deployment Server, $SPLUNK_HOME/etc/deployment-apps

DOn Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Answer : C

The correct answer is C. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps.

The other options are incorrect because:

Question 1592

When using a directory monitor input, specific source type can be selectively overridden using which configuration file?

Aprops.conf

Bsourcetypes.conf

Ctransforms.conf

Doutputs.conf

Answer : A

Question 1593

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk

software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?

AUse Local Windows host monitoring.

BUse Windows Remote Inputs with WMI.

CUse Local Windows network monitoring.

DUse an index with an Index Data Type of Metrics.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/ConsiderationsfordecidinghowtomonitorWindowsdata

Question 1594

What is the default value of LINE_BREAKER?

A\r\n

B([\r\n]+)

C\r+\n+

D(\r\n+)

Answer : B

Question 1595

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

AA token-based HTTP input that is secure and scalable and that requires the use of forwarders

BA token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

CAn agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

DA token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector

Question 1596

When running the command shown below, what is the default path in which deployment server. conf is created?

splunk set deploy-poll deployServer:port

ASFLUNK_HOME/etc/deployment

BSPLUNK_HOME/etc/system/local

CSPLUNK_HOME/etc/system/default

DSPLUNK_KOME/etc/apps/deployment

Answer : C

Question 1597

Which pathway represents where a network input in Splunk might be found?

A$SPLUNK HOME/ etc/ apps/ ne two r k/ inputs.conf

B$SPLUNK HOME/ etc/ apps/ $appName/ local / inputs.conf

C$SPLUNK HOME/ system/ local /udp.conf

D$SPLUNK HOME/ var/lib/ splunk/$inputName/homePath/

Answer : B

The correct answer is B. The network input in Splunk might be found in the $SPLUNK_HOME/etc/apps/$appName/local/inputs.conf file.

$SPLUNK_HOME/etc/system/default: This directory contains the default settings for all inputs. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/system/local: This directory contains the custom settings for all inputs that apply to the entire Splunk instance. The settings in this directory override the default settings2.

$SPLUNK_HOME/etc/apps/$appName/default: This directory contains the default settings for all inputs that are specific to an app. You should not modify or copy the files in this directory2.

$SPLUNK_HOME/etc/apps/$appName/local: This directory contains the custom settings for all inputs that are specific to an app. The settings in this directory override the default and system settings2.

The other options are incorrect because:

A . There is no network directory under the apps directory. The network input settings should be in the inputs.conf file, not in a separate directory.

Question 1598

Ahomepath

BthawedPath

CsummaryHomePath

Dcolddeath

Answer : D

Question 1599

Which of the following is an acceptable channel value when using the HTTP Event Collector indexer acknowledgment capability?

AGUID

BDNS

CHash Checksum

DIP Address

Answer : A

The HTTP Event Collector (HEC) supports indexer acknowledgment to confirm event delivery. Each acknowledgment is associated with a unique GUID (Globally Unique Identifier).

GUID ensures events are not re-indexed in the case of retries.

Incorrect Options:

B, C, D: These are not valid channel values in HEC acknowledgments.

References:

Splunk Docs: Use indexer acknowledgment with HTTP Event Collector

Question 1600

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A$SFLUNK_HOME/bin/scripts

B$SPLUNK_HOME/etc/apps/bin

C$SPLUNK_HOME/etc/system/bin

D$S?LUNK_HOME/etc/apps/<your_app>/bin_

Answer : A, C, D

'Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system:

$SPLUNK_HOME/etc/system/bin

$SPLUNK_HOME/etc/apps/<your_App>/bin

$SPLUNK_HOME/bin/scripts

As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system.'

Question 1601

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?

A90 days

B60 days

C7 days

D14 days

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.3/Admin/TypesofSplunklicenses

Question 1602

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 1603

Which file will be matched for the following monitor stanza in inputs. conf?

[monitor: ///var/log/*/bar/*. txt]

A/var/log/host_460352847/temp/bar/file/csv/foo.txt

B/var/log/host_460352847/bar/foo.txt

C/var/log/host_460352847/bar/file/foo.txt

D/var/ log/ host_460352847/temp/bar/file/foo.txt

Answer : C

The correct answer is C. /var/log/host_460352847/bar/file/foo.txt.

The monitor stanza in inputs.conf is used to configure Splunk to monitor files and directories for new data. The monitor stanza has the following syntax1:

[monitor://<input path>]

Therefore, the file /var/log/host_460352847/bar/file/foo.txt will be matched by the monitor stanza, as it meets the criteria. The other files will not be matched, because:

A . /var/log/host_460352847/temp/bar/file/csv/foo.txt has a .csv extension, not a .txt extension.

B . /var/log/host_460352847/bar/foo.txt is not located in a subdirectory under the bar directory, but directly in the bar directory.

D . /var/log/host_460352847/temp/bar/file/foo.txt is located in a subdirectory named file under the bar directory, not directly in the bar directory.

Question 1604

Consider the following stanza in inputs.conf:

What will the value of the source filed be for events generated by this scripts input?

A/opt/splunk/ecc/apps/search/bin/liscer.sh

Bunknown

Cliscer

Dliscer.sh

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Inputsconf

-Scroll down to source = <string>

*Default: the input file path

Question 1605

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

Abucketdb

Bfrozendb

Ccolddb

Ddb

Answer : C, D

Question 1606

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

ADisk

BCPUs

CMemory

DNetwork interface cards

Answer : B

https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCarchitecture

Question 1607

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?

ADefault app

BLDAP group

CPassword

DUsername

Answer : A

Question 1608

Running this search in a distributed environment:

On what Splunk component does the eval command get executed?

AHeavy Forwarders

BUniversal Forwarders

CSearch peers

DSearch heads

Answer : C

Question 1609

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

ACreate one outputs . conf file for each of the server addresses in the indexing tier.

BConfigure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

CSplunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

DSet the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Answer : D

To enable automatic load balancing, set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment. For example:

[tcpout] server=10.1.1.1:9997,10.1.1.2:9997,10.1.1.3:9997

The forwarder then distributes data across all of the indexers in the list.

Question 1610

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

AA token-based HTTP input that is secure and scalable and that requires the use of forwarders

BA token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

CAn agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

DA token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Answer : B

https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector

Question 1611

The universal forwarder has which capabilities when sending data? (select all that apply)

ASending alerts

BCompressing data

CObfuscating/hiding data

DIndexer acknowledgement

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata

https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%20data.

Question 1612

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

A_audit

B_checkpoint

C_introspection

D_thefishbucket

Answer : D

Question 1613

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A... is not supported in monitor stanzas

BThere is no difference, they are interchangable and match anything beyond directory boundaries.

C* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards

... The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.

If you specify a folder separator (for example, //var/log/.../file), it does not match the first folder level, only subfolders.

* The asterisk wildcard matches anything in that specific folder path segment.

Unlike ..., * does not recurse through subfolders.

Question 1614

What is the correct order of steps in Duo Multifactor Authentication?

A1 Request Login
2. Connect to SAML server
3 Duo MFA
4 Create User session
5 Authentication Granted 6. Log into Splunk

B1. Request Login 2 Duo MFA
3. Authentication Granted 4 Connect to SAML server
5. Log into Splunk
6. Create User session

C1 Request Login
2 Check authentication / group mapping
3 Authentication Granted
4. Duo MFA
5. Create User session
6. Log into Splunk

D1 Request Login 2 Duo MFA
3. Check authentication / group mapping
4 Create User session
5. Authentication Granted
6 Log into Splunk

Answer : C

Using the provided DUO/Splunk reference URL https://duo.com/docs/splunk

Scroll down to the Network Diagram section and note the following 6 similar steps

1 - SPlunk connection initiated

2 - Primary authentication

3 - Splunk connection established to Duo Security over TCP port 443

4 - Secondary authentication via Duo Security's service

5 - Splunk receives authentication response

6 - Splunk session logged in.

Question 1615

The priority of layered Splunk configuration files depends on the file's:

AOwner

BWeight

CContext

DCreation time

Answer : C

https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

Question 1616

A Universal Forwarder has the following active stanza in inputs . conf:

[monitor: //var/log]

disabled = O

host = 460352847

An event from this input has a timestamp of 10:55. What timezone will Splunk add to the event as part of indexing?

AUniversal Coordinated Time.

BThe timezone of the search head.

CThe timezone of the indexer that indexed the event.

DThe timezone of the forwarder.

Answer : D

The correct answer is D. The timezone of the forwarder will be added to the event as part of indexing.

According to the Splunk documentation1, Splunk software determines the time zone to assign to a timestamp using the following logic in order of precedence:

Use the time zone specified in raw event data (for example, PST, -0800), if present.

Use the TZ attribute set in props.conf, if the event matches the host, source, or source type that the stanza specifies.

If the forwarder and the receiving indexer are version 6.0 or higher, use the time zone that the forwarder provides.

Use the time zone of the host that indexes the event.

The other options are incorrect because:

Question 1617

Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)

A_license

B_lnternal

C_external

D_thefishbucket

Answer : B, D

https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks

Question 1618

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

AdiskQueueSize

BdurableQueueSize

CpersistentOueueSize

DqueueSize

Answer : C

Question 1619

Which of the following are supported options when configuring optional network inputs?

AMetadata override, sender filtering options, network input queues (quantum queues)

BMetadata override, sender filtering options, network input queues (memory/persistent queues)

CFilename override, sender filtering options, network output queues (memory/persistent queues)

DMetadata override, receiver filtering options, network input queues (memory/persistent queues)

Answer : B

https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports

Question 1620

In which Splunk configuration is the SEDCMD used?

Aprops, conf

Binputs.conf

Cindexes.conf

Dtransforms.conf

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd

'You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. '

Question 1621

Which of the following is accurate regarding the input phase?

ABreaks data into events with timestamps.

BApplies event-level transformations.

CFine-tunes metadata.

DPerforms character encoding.

Answer : D

Question 1622

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

ALicense data

BMetricsdata

CInternal Splunk data

DInternal Windows logs

Answer : B

Question 1623

During search time, which directory of configuration files has the highest precedence?

A$SFLUNK_KOME/etc/system/local

B$SPLUNK_KCME/etc/system/default

C$SPLUNK_HCME/etc/apps/app1/local

D$SPLUNK HCME/etc/users/admin/local

Answer : D

Adding further clarity and quoting same Splunk reference URL from @giubal'

1.Slave-app local directories -- highest priority

2. System local directory

3. App local directories

4. Slave-app default directories

5. App default directories

6. System default directory --lowest priority

Question 1624

How is data handled by Splunk during the input phase of the data ingestion process?

AData is treated as streams.

BData is broken up into events.

CData is initially written to disk.

DData is measured by the license meter.

Answer : A

https://docs.splunk.com/Documentation/Splunk/8.0.5/Deploy/Datapipeline

'In the input segment, Splunk software consumes data. It acquires the raw data stream from its source, breaks in into 64K blocks, and annotates each block with some metadata keys.'

Question 1625

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

AAny OS platform

BLinux platform only

CWindows platform only.

DNone of the above.

Answer : A

'The forwarder/indexer relationship can be considered platform agnostic (within the sphere of supported platforms) because they exchange their data handshake (and the data, if you wish) over TCP.

Question 1626

When are knowledge bundles distributed to search peers?

AAfter a user logs in.

BWhen Splunk is restarted.

CWhen adding a new search peer.

DWhen a distributed search is initiated.

Answer : D

Question 1627

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

AfollowTail = -45d

Bignore = 45d

CincludeNewerThan = -35d

DignoreOlderThan = 45d

Answer : D

Question 1628

What happens when the same username exists in Splunk as well as through LDAP?

ASplunk user is automatically deleted from authentication.conf.

BLDAP settings take precedence.

CSplunk settings take precedence.

DLDAP user is automatically deleted from authentication.conf

Answer : C

Question 1629

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

ATo ensure that hot buckets are still open for writes and have not been forced to roll to a cold state

BTo ensure that configuration files have not been tampered with for auditing and/or legal purposes

CTo ensure that user passwords have not been tampered with for auditing and/or legal purposes.

DTo ensure that data has not been tampered with for auditing and/or legal purposes

Answer : D

Question 1630

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?

AUpdate the user in Splunk web informing them that the results of their search may be incomplete.

BRepeat the search request on indexer B without informing the user.

CUpdate the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search.

DInform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

Answer : A

This is explained in the Splunk documentation1, which states:

If an indexer goes down during a search, the search head notifies you that the results might be incomplete. The search head does not attempt to re-run the search on another indexer.

Question 1631

When would the following command be used?

ATo verify' the integrity of a local index.

BTo verify the integrity of a SmartStore index.

CTo verify the integrity of a SmartStore bucket.

DTo verify the integrity of a local bucket.

Answer : D