Splunk SPLK-3003 Exam Questions Instant Access

Question 1

Which of the following statements applies to indexer discovery?

AThe Cluster Master (CM) can automatically discover new indexers added to the cluster.

BForwarders can automatically discover new indexers added to the cluster.

CDeployment servers can automatically configure new indexers added to the cluster.

DSearch heads can automatically discover new indexers added to the cluster.

Answer : D

Question 2

A customer is migrating their existing Splunk Indexer from an old set of hardware to a new set of indexers. What is the earliest method to migrate the system?

A1. Add new indexers to the cluster as peers, in the same site (if needed).
2. Ensure new indexers receive common configuration.
3. Decommission old indexers (one at a time) to allow time for CM to fix/migrate buckets to new hardware.
4. Remove all the old indexers from the CM's list.

B1. Add new indexers to the cluster as peers, to a new site.
2. Ensure new indexers receive common configuration from the CM.
3. Decommission old indexers (one at a time) to allow time for CM to fix/migrate buckets to new hardware.
4. Remove all the old indexers from the CM's list.

C1. Add new indexers to the cluster as peers, in the same site.
2. Update the replication factor by +1 to Instruct the cluster to start replicating to new peers.
3. Allow time for CM to fix/migrate buckets to new hardware.
4. Remove all the old indexers from the CM's list.

D1. Add new indexers to the cluster as new site.
2. Update cluster master (CM) server.conf to include the new available site.
3. Allow time for CM to fix/migrate buckets to new hardware.
4. Remove the old indexers from the CM's list.

Answer : B

Question 3

Which of the following is the most efficient search?

AOption A

BOption B

COption C

DOption D

Answer : C

Question 4

A new search head cluster is being implemented. Which is the correct command to initialize the deployer node without restarting the search head cluster peers?

A$SPLUNK_HOME/bin/splunk apply shcluster-bundle

B$SPLUNK_HOME/bin/splunk apply cluster-bundle

C$SPLUNK_HOME/bin/splunk apply shcluster-bundle --action stage

D$SPLUNK_HOME/bin/splunk apply cluster-bundle --action stage

Answer : A

Question 5

A customer has a multisite cluster (two sites, each site in its own data center) and users experiencing a slow response when searches are run on search heads located in either site. The Search Job Inspector shows the delay is being caused by search heads on either site waiting for results to be returned by indexers on the opposing site. The network team has confirmed that there is limited bandwidth available between the two data centers, which are in different geographic locations.

Which of the following would be the least expensive and easiest way to improve search performance?

AConfigure site_search_factor to ensure a searchable copy exists in the local site for each search head.

BMove all indexers and search heads in one of the data centers into the same site.

CInstall a network pipe with more bandwidth between the two data centers.

DSet the site setting on each indexer in the server.conf clustering stanza to be the same for all indexers regardless of site.

Answer : A

Question 6

Which of the following is the most efficient search?

Aindex=www status=200 uri=/cart/checkout | append [search index = sales] | stats count, sum(revenue) as total_revenue by session_id | table total_revenue session_id

B(index=www status=200 uri=/cart/checkout) OR (index=sales) | stats count, sum (revenue) as total_revenue by session_id | table total_revenue session_id

Cindex=www | append [search index = sales] | stats count, sum(revenue) as total_revenue by session_id | table total_revenue session_id

D(index=www) OR (index=sales) | search (index=www status=200 uri=/cart/checkout) OR (index=sales) | stats count, sum(revenue) as total_revenue by session_id | table total_revenue session_id

Answer : B

Question 7

How could a role in which all users must specify an index=clause in all searches be configured?

ASet the authorize.conf setting: srchIndexesDefault to no value.

BSet the authorize.conf setting: srchFilter to no value.

CSet the authorize.conf setting: srchIndexesAllowed to no value.

DSet the authorize.conf setting: srchJobsQuota to no value.

Answer : B

Splunk Core Certified Consultant SPLK-3003 Exam Questions