Splunk SPLK-3001 Exam Questions Instant Access

Question 1

What is the maximum recommended volume of indexing per day, per indexer, for a non-cloud (on-prem) ES deployment?

A50 GB

B100 GB

C300 GB

D500 MB

Answer : B

Question 2

ES needs to be installed on a search head with which of the following options?

ANo other apps.

BAny other apps installed.

CAll apps removed except for TA-*.

DOnly default built-in and CIM-compliant apps.

Answer : D

Question 3

Which settings indicated that the correlation search will be executed as new events are indexed?

AAlways-On

BReal-Time

CScheduled

DContinuous

Answer : C

Question 4

At what point in the ES installation process should Splunk_TA_ForIndexes.spl be deployed to the indexers?

AWhen adding apps to the deployment server.

BSplunk_TA_ForIndexers.spl is installed first.

CAfter installing ES on the search head(s) and running the distributed configuration management tool.

DSplunk_TA_ForIndexers.spl is only installed on indexer cluster sites using the cluster master and the splunk apply cluster-bundle command.

Answer : C

Question 5

What role should be assigned to a security team member who will be taking ownership of notable events in the incident review dashboard?

Aess_user

Bess_admin

Cess_analyst

Dess_reviewer

Answer : B

Question 6

Where are attachments to investigations stored?

AKV Store

Bnotable index

Cattachments.csv lookup

D<splunk_home>/etc/apps/SA-Investigations/default/ui/views/attachments

Answer : A

Question 7

What does the risk framework add to an object (user, server or other type) to indicate increased risk?

AAn urgency.

BA risk profile.

CAn aggregation.

DA numeric score.

Answer : D

Splunk Enterprise Security Certified Admin SPLK-3001 Exam Questions