Splunk SPLK-3003 Exam Questions Instant Access

Question 1

A customer's deployment server is overwhelmed with forwarder connections after adding an additional 1000 clients. The default phone home interval is set to 60 seconds. To reduce the number of connection failures to the DS what is recommended?

ACreate a tiered deployment server topology.

BReduce the phone home interval to 6 seconds.

CLeave the phone home interval at 60 seconds.

DIncrease the phone home interval to 600 seconds.

Answer : A

Question 2

The Splunk Validated Architectures (SVAs) document provides a series of approved Splunk topologies. Which statement accurately describes how it should be used by a customer?

ACustomer should look at the category tables, pick the highest number that their budget permits, then select this design topology as the chosen design.

BCustomers should identify their requirements, provisionally choose an approved design that meets them, then consider design principles and best practices to come to an informed design decision.

CUsing the guided requirements gathering in the SVAs document, choose a topology that suits requirements, and be sure not to deviate from the specified design.

DChoose an SVA topology code that includes Search Head and Indexer Clustering because it offers the highest level of resilience.

Answer : B

Question 3

What does Splunk do when it indexes events?

AExtracts the top 10 fields.

BExtracts metadata fields such as host, source, sourcetype.

CPerforms parsing, merging, and typing processes on universal forwarders.

DCreate report acceleration summaries.

Answer : B

Question 4

Which statement is correct?

AIn general, search commands that can be distributed to the search peers should occur as early as possible in a well-tuned search.

BAs a streaming command, streamstats performs better than stats since stats is just a reporting command.

CWhen trying to reduce a search result to unique elements, the dedup command is the only way to achieve this.

DFormatting commands such as fieldformat should occur as early as possible in the search to take full advantage of the often larger number of search peers.

Answer : D

Question 5

When using SAML, where does user authentication occur?

ASplunk generates a SAML assertion that authenticates the user.

BThe Service Provider (SP) decodes the SAML request and authenticates the user.

CThe Identity Provider (IDP) decodes the SAML request and authenticates the user.

DThe Service Provider (SP) generates a SAML assertion that authenticates the user.

Answer : A

Question 6

When monitoring and forwarding events collected from a file containing unstructured textual events, what is the difference in the Splunk2Splunk payload traffic sent between a universal forwarder (UF) and indexer compared to the Splunk2Splunk payload sent between a heavy forwarder (HF) and the indexer layer? (Assume that the file is being monitored locally on the forwarder.)

AThe payload format sent from the UF versus the HF is exactly the same. The payload size is identical because they're both sending 64K chunks.

BThe UF sends a stream of data containing one set of medata fields to represent the entire stream, whereas
the HF sends individual events, each with their own metadata fields attached, resulting in a lager payload.

CThe UF will generally send the payload in the same format, but only when the sourcetype is specified in the inputs.conf and EVENT_BREAKER_ENABLE is set to true.

DThe HF sends a stream of 64K TCP chunks with one set of metadata fields attached to represent the entire stream, whereas the UF sends individual events, each with their own metadata fields attached.

Answer : B

Question 7

A customer is using both internal Splunk authentication and LDAP for user management.

If a username exists in both $SPLUNK_HOME/etc/passwd and LDAP, which of the following statements is accurate?

AThe internal Splunk authentication will take precedence.

BAuthentication will only succeed if the password is the same in both systems.

CThe LDAP user account will take precedence.

DSplunk will error as it does not support overlapping usernames

Answer : A

Splunk Core Certified Consultant SPLK-3003 Exam Questions