Splunk SPLK-3003 Exam Practice Test Instant Access

Question 1

Consider the scenario where the /var/log directory contains the files secure, messages, cron, audit. A customer has created the following inputs.conf stanzas in the same Splunk app in order to attempt to monitor the files secure and messages:

Which file(s) will actually be actively monitored?

A/var/log/secure

B/var/log/messages

C/var/log/messages, /var/log/cron, /var/log/audit, /var/log/secure

D/var/log/secure, /var/log/messages

Answer : A

Question 2

A customer is migrating their existing Splunk Indexer from an old set of hardware to a new set of indexers. What is the earliest method to migrate the system?

A1. Add new indexers to the cluster as peers, in the same site (if needed).
2. Ensure new indexers receive common configuration.
3. Decommission old indexers (one at a time) to allow time for CM to fix/migrate buckets to new hardware.
4. Remove all the old indexers from the CM's list.

B1. Add new indexers to the cluster as peers, to a new site.
2. Ensure new indexers receive common configuration from the CM.
3. Decommission old indexers (one at a time) to allow time for CM to fix/migrate buckets to new hardware.
4. Remove all the old indexers from the CM's list.

C1. Add new indexers to the cluster as peers, in the same site.
2. Update the replication factor by +1 to Instruct the cluster to start replicating to new peers.
3. Allow time for CM to fix/migrate buckets to new hardware.
4. Remove all the old indexers from the CM's list.

D1. Add new indexers to the cluster as new site.
2. Update cluster master (CM) server.conf to include the new available site.
3. Allow time for CM to fix/migrate buckets to new hardware.
4. Remove the old indexers from the CM's list.

Answer : B

Question 3

Which command is most efficient in finding the pass4SymmKey of an index cluster?

Afind / -name server.conf --print | grep pass4SymKey

B$SPLUNK_HOME/bin/splunk search | rest splunk_server=local /servicesNS/-/ unhash_app/storage/passwords

C$SPLUNK_HOME/bin/splunk btool server list clustering | grep pass4SymmKey

D$SPLUNK_HOME/bin/splunk btool clustering list clustering --debug | grep
pass4SymmKey

Answer : D

Question 4

When a bucket rolls from cold to frozen on a clustered indexer, which of the following scenarios occurs?

AAll replicated copies will be rolled to frozen; original copies will remain.

BReplicated copies of the bucket will remain on all other indexers and the Cluster Master (CM) assigns a new primary bucket.

CThe bucket rolls to frozen on all clustered indexers simultaneously.

DNothing. Replicated copies of the bucket will remain on all other indexers until a local retention rule causes it to roll.

Answer : B

Question 5

Which of the following statements is true, as it pertains to search head clustering (SHC)?

ASHC is supported on AIX, Linux, and Windows operating systems.

BMaximum number of nodes for a SHC is 10.

CSHC members must run on the same hardware specifications.

DMinimum number of nodes for a SHC is 5.

Answer : B

Question 6

The customer has an indexer cluster supporting a wide variety of search needs, including scheduled search, data model acceleration, and summary indexing. Here is an excerpt from the cluster mater's server.conf:

Which strategy represents the minimum and least disruptive change necessary to protect the searchability of the indexer cluster in case of indexer failure?

AEnable maintenance mode on the CM to prevent excessive fix-up and bring the failed indexer back online.

BLeave replication_factor=2, increase search_factor=2 and enable summary_replication.

CConvert the cluster to multi-site and modify the server.conf to be site_replication_factor=2, site_search_factor=2.

DIncrease replication_factor=3, search_factor=2 to protect the data, and allow there to always be a searchable copy.

Answer : D

Question 7

When monitoring and forwarding events collected from a file containing unstructured textual events, what is the difference in the Splunk2Splunk payload traffic sent between a universal forwarder (UF) and indexer compared to the Splunk2Splunk payload sent between a heavy forwarder (HF) and the indexer layer? (Assume that the file is being monitored locally on the forwarder.)

AThe payload format sent from the UF versus the HF is exactly the same. The payload size is identical because they're both sending 64K chunks.

BThe UF sends a stream of data containing one set of medata fields to represent the entire stream, whereas
the HF sends individual events, each with their own metadata fields attached, resulting in a lager payload.

CThe UF will generally send the payload in the same format, but only when the sourcetype is specified in the inputs.conf and EVENT_BREAKER_ENABLE is set to true.

DThe HF sends a stream of 64K TCP chunks with one set of metadata fields attached to represent the entire stream, whereas the UF sends individual events, each with their own metadata fields attached.

Answer : B

Splunk Core Certified Consultant SPLK-3003 Exam Practice Test