Splunk SPLK-3003 Exam Practice Test Instant Access

Question 1

What happens to the indexer cluster when the indexer Cluster Master (CM) runs out of disk space?

AA warm standby CM needs to be brought online as soon as possible before an indexer has an outage.

BThe indexer cluster will continue to operate as long as no indexers fail.

CIf the indexer cluster has site failover configured in the CM, the second cluster master will take over.

DThe indexer cluster will continue to operate as long as a replacement CM is deployed within 24 hours.

Answer : C

Question 2

A customer is using regex to whitelist access logs and secure logs from a web server, but only the access logs are being ingested. Which troubleshooting resource would provide insight into why the secure logs are not being ingested?

Alist monitor

Boneshot

Cbtprobe

Dtailingprocessor
Section: (none)
Explanation

Answer : B

Question 3

As a best practice which of the following should be used to ingest data on clustered indexers?

AMonitoring (via a process), collecting data (modular inputs) from remote systems/applications

BModular inputs, HTTP Event Collector (HEC), inputs.conf monitor stanza

CActively listening on ports, monitoring (via a process), collecting data from remote systems/applications

Dsplunktcp, splunktcp-ssl, HTTP Event Collector (HEC)

Answer : B

Question 4

How does Monitoring Console (MC) initially identify the server role(s) of a new Splunk Instance?

AThe MC uses a REST endpoint to query the server.

BRoles are manually assigned within the MC.

CRoles are read from distsearch.conf.

DThe MC assigns all possible roles by default.

Answer : C

Question 5

Which of the following statements is true, as it pertains to search head clustering (SHC)?

ASHC is supported on AIX, Linux, and Windows operating systems.

BMaximum number of nodes for a SHC is 10.

CSHC members must run on the same hardware specifications.

DMinimum number of nodes for a SHC is 5.

Answer : B

Question 6

A customer is having issues with truncated events greater than 64K. What configuration should be deployed to a universal forwarder (UF) to fix the issue?

ANone. Splunk default configurations will process the events as needed; the UF is not causing truncation.

BConfigure the best practice magic 6 or great 8 props.conf settings.

CEVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings per sourcetype.

DGlobal EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings.

Answer : C

Question 7

When using SAML, where does user authentication occur?

ASplunk generates a SAML assertion that authenticates the user.

BThe Service Provider (SP) decodes the SAML request and authenticates the user.

CThe Identity Provider (IDP) decodes the SAML request and authenticates the user.

DThe Service Provider (SP) generates a SAML assertion that authenticates the user.

Answer : A

Splunk Core Certified Consultant SPLK-3003 Exam Practice Test