Which setting in indexes. conf allows data retention to be controlled by time?
- A . maxDaysToKeep
- B . moveToFrozenAfter
- C . maxDataRetentionTime
- D . frozenTimePeriodlnSecs
D
Explanation:
https://docs.splunk.com/Documentation/Splunk/latest/Indexer/Setaretirementandarchivingpolicy
The universal forwarder has which capabilities when sending data? (select all that apply)
- A . Sending alerts
- B . Compressing data
- C . Obfuscating/hiding data
- D . Indexer acknowledgement
BD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Forwarding/Aboutforwardingandreceivingdata
https://docs.splunk.com/Documentation/Forwarder/8.1.1/Forwarder/Configureforwardingwithoutputs.conf#:~:text=compressed%3Dtrue%20This%20tells%20the,the%20forwarder%20sends%20raw%20data.
In case of a conflict between a whitelist and a blacklist input setting, which one is used?
- A . Blacklist
- B . Whitelist
- C . They cancel each other out.
- D . Whichever is entered into the configuration first.
A
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/Whitelistorblacklistspecificincomingdat a
"It is not necessary to define both an allow list and a deny list in a configuration stanza. The settings are independent. If you do define both filters and a file matches them both, Splunk Enterprise does not index that file, as the blacklist filter overrides the whitelist filter." Source: https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Whitelistorblacklistspecificincomingdat a
In which Splunk configuration is the SEDCMD used?
- A . props, conf
- B . inputs.conf
- C . indexes.conf
- D . transforms.conf
A
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.5/Forwarding/Forwarddatatothird-partysystemsd
"You can specify a SEDCMD configuration in props.conf to address data that contains characters that the third-party server cannot process. "
Which of the following are supported configuration methods to add inputs on a forwarder? (select all that apply)
- A . CLI
- B . Edit inputs. conf
- C . Edit forwarder.conf
- D . Forwarder Management
ABD
Explanation:
https://docs.splunk.com/Documentation/Forwarder/8.2.1/Forwarder/HowtoforwarddatatoSplunkEnterprise
"You can collect data on the universal forwarder using several methods. Define inputs on the universal forwarder with the CLI. You can use the CLI to define inputs on the universal forwarder. After you define the inputs, the universal forwarder collects data based on those definitions as long as it has access to the data that you want to monitor. Define inputs on the universal forwarder with configuration files. If the input you want to configure does not have a CLI argument for it, you can configure inputs with configuration files. Create an inputs.conf file in the directory, $SPLUNK_HOME/etc/system/local
Which parent directory contains the configuration files in Splunk?
- A . SSFLUNK_HOME/etc
- B . SSPLUNK_HOME/var
- C . SSPLUNK_HOME/conf
- D . SSPLUNK_HOME/default
A
Explanation:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories Section titled, Configuration file directories, states "A detailed list of settings for each configuration file is provided in the .spec file names for that configuration file. You can find the latest version of the .spec and .example files in the $SPLUNK_HOME/etc system/README folder of your Splunk Enterprise installation…"
Which forwarder type can parse data prior to forwarding?
- A . Universal forwarder
- B . Heaviest forwarder
- C . Hyper forwarder
- D . Heavy forwarder
D
Explanation:
https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Typesofforwarders
"A heavy forwarder parses data before forwarding it and can route data based on criteria such as source or type of event."
Which Splunk component consolidates the individual results and prepares reports in a distributed environment?
- A . Indexers
- B . Forwarder
- C . Search head
- D . Search peers
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/Howuserscancontroldistributedse arches
"From the user standpoint, specifying and running a distributed search is essentially the same as running any other search. Behind the scenes, the search head distributes the query to its search peers, and consolidates the results when presenting them to the user."
Which Splunk component distributes apps and certain other configuration updates to search head cluster members?
- A . Deployer
- B . Cluster master
- C . Deployment server
- D . Search head cluster master
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.5/Updating/Updateconfigurations First line says it all: "The deployment server distributes deployment apps to clients."
Where should apps be located on the deployment server that the clients pull from?
- A . $SFLUNK_KOME/etc/apps
- B . $SPLUNK_HCME/etc/sear:ch
- C . $SPLUNK_HCME/etc/master-apps
- D . $SPLUNK HCME/etc/deployment-apps
D
Explanation:
After an app is downloaded, it resides under $SPLUNK_HOME/etc/apps on the deployment clients.
But it resided in the $SPLUNK_HOME/etc/deployment-apps location in the deployment server.
This file has been manually created on a universal forwarder
A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new
Which file is now monitored?
- A . /var/log/messages
- B . /var/log/maillog
- C . /var/log/maillog and /var/log/messages
- D . none of the above
In which phase of the index time process does the license metering occur?
- A . input phase
- B . Parsing phase
- C . Indexing phase
- D . Licensing phase
C
Explanation:
"When ingesting event data, the measured data volume is based on the new raw data that is placed into the indexing pipeline. Because the data is measured at the indexing pipeline, data that is filetered and dropped prior to indexing does not count against the license volume qota." https://docs.splunk.com/Documentation/Splunk/8.0.6/Admin/HowSplunklicensingworks
You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list ―debug.
What will the output be?
- A . list of all the configurations on-disk that Splunk contains.
- B . A verbose list of all configurations as they were when splunkd started.
- C . A list of props. conf configurations as they are on-disk along with a file path from which the configuration is located
- D . A list of the current running props, conf configurations along with a file path from which the configuration was made
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.1/Troubleshooting/Usebtooltotroubleshootcon figurations
"The btool command simulates the merging process using the on-disk conf files and creates a report showing the merged settings."
"The report does not necessarily represent what’s loaded in memory. If a conf file change is made that requires a service restart, the btool report shows the change even though that change isn’t active."
When running the command shown below, what is the default path in which deployment server. conf is created?
splunk set deploy-poll deployServer:port
- A . SFLUNK_HOME/etc/deployment
- B . SPLUNK_HOME/etc/system/local
- C . SPLUNK_HOME/etc/system/default
- D . SPLUNK_KOME/etc/apps/deployment
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.1.1/Updating/Definedeploymentclasses#Ways_to_define_server_classes "When you use forwarder management to create a new server class, it saves the server class definition in a copy of serverclass.conf under
$SPLUNK_HOME/etc/system/local. If, instead of using forwarder management, you decide to directly edit serverclass.conf, it is recommended that you create the serverclass.conf file in that same directory, $SPLUNK_HOME/etc/system/local."
The priority of layered Splunk configuration files depends on the file’s:
- A . Owner
- B . Weight
- C . Context
- D . Creation time
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles
"To determine the order of directories for evaluating configuration file precendence, Splunk software considers each file’s context. Configuration files operate in either a global context or in the context of the current app and user"
When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?
- A . Slash notation
- B . Regular expression
- C . Irregular expression
- D . Wildcard-only expression
B
Explanation:
https://docs.splunk.com/Documentation/Splunk/latest/Data/Whitelistorblacklistspecificincomingdata#Include_or_exclude_specific_incoming_data
What is required when adding a native user to Splunk? (select all that apply)
- A . Password
- B . Username
- C . Full Name
- D . Default app
AB
Explanation:
According to the Splunk system admin course PDF, When adding native users, Username and Password ARE REQUIRED
What are the minimum required settings when creating a network input in Splunk?
- A . Protocol, port number
- B . Protocol, port, location
- C . Protocol, username, port
- D . Protocol, IP. port number
A
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.5/Admin/Inputsconf
[tcp://<remote server>:<port>]
*Configures the input to listen on a specific TCP network port.
*If a <remote server> makes a connection to this instance, the input uses this stanza to configure itself.
*If you do not specify <remote server>, this stanza matches all connections on the specified port. *Generates events with source set to "tcp:<port>", for example: tcp:514
*If you do not specify a sourcetype, generates events with sourcetype set to "tcp-raw"
Which Splunk component requires a Forwarder license?
- A . Search head
- B . Heavy forwarder
- C . Heaviest forwarder
- D . Universal forwarder
Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?
- A . _TCP_ROUTING
- B . _INDEXER_LIST
- C . _INDEXER_GROUP
- D . _INDEXER ROUTING
A
Explanation:
https://docs.splunk.com/Documentation/Splunk/7.0.3/Forwarding/Routeandfilterdatad#Perform_se lective_indexing_and_forwarding
Specifies a comma-separated list of tcpout group names. Use this setting to selectively forward your data to specific indexers by specifying the tcpout groups that the forwarder should use when forwarding the data. Define the tcpout group names in the outputs.conf file in [tcpout:<tcpout_group_name>] stanzas. The groups present in defaultGroup in [tcpout] stanza in the outputs.conf file.
To set up a Network input in Splunk, what needs to be specified’?
- A . File path.
- B . Username and password
- C . Network protocol and port number.
- D . Network protocol and MAC address.
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.3/Data/Monitornetworkports
Which Splunk forwarder type allows parsing of data before forwarding to an indexer?
- A . Universal forwarder
- B . Parsing forwarder
- C . Heavy forwarder
- D . Advanced forwarder
Which of the following statements describe deployment management? (select all that apply)
- A . Requires an Enterprise license
- B . Is responsible for sending apps to forwarders.
- C . Once used, is the only way to manage forwarders
- D . Can automatically restart the host OS running the forwarder.
AB
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.2.2/Admin/Distdeploylicenses#:~:text=License%20requirements,do%20not%20index%20external%20data.
"All Splunk Enterprise instances functioning as management components needs access to an Enterprise license. Management components include the deployment server, the indexer cluster manager node, the search head cluster deployer, and the monitoring console."
https://docs.splunk.com/Documentation/Splunk/8.2.2/Updating/Aboutdeploymentserver
"The deployment server is the tool for distributing configurations, apps, and content updates to groups of Splunk Enterprise instances."
During search time, which directory of configuration files has the highest precedence?
- A . $SFLUNK_KOME/etc/system/local
- B . $SPLUNK_KCME/etc/system/default
- C . $SPLUNK_HCME/etc/apps/app1/local
- D . $SPLUNK HCME/etc/users/admin/local
D
Explanation:
Adding further clarity and quoting same Splunk reference URL from @giubal"
"To keep configuration settings consistent across peer nodes, configuration files are managed from the cluster master, which pushes the files to the slave-app directories on the peer nodes. Files in the slave-app directories have the highest precedence in a cluster peer’s configuration. Here is the expanded precedence order for cluster peers:
During search time, which directory of configuration files has the highest precedence?
- A . $SFLUNK_KOME/etc/system/local
- B . $SPLUNK_KCME/etc/system/default
- C . $SPLUNK_HCME/etc/apps/app1/local
- D . $SPLUNK HCME/etc/users/admin/local
D
Explanation:
Adding further clarity and quoting same Splunk reference URL from @giubal"
"To keep configuration settings consistent across peer nodes, configuration files are managed from the cluster master, which pushes the files to the slave-app directories on the peer nodes. Files in the slave-app directories have the highest precedence in a cluster peer’s configuration. Here is the expanded precedence order for cluster peers:
During search time, which directory of configuration files has the highest precedence?
- A . $SFLUNK_KOME/etc/system/local
- B . $SPLUNK_KCME/etc/system/default
- C . $SPLUNK_HCME/etc/apps/app1/local
- D . $SPLUNK HCME/etc/users/admin/local
D
Explanation:
Adding further clarity and quoting same Splunk reference URL from @giubal"
"To keep configuration settings consistent across peer nodes, configuration files are managed from the cluster master, which pushes the files to the slave-app directories on the peer nodes. Files in the slave-app directories have the highest precedence in a cluster peer’s configuration. Here is the expanded precedence order for cluster peers:
During search time, which directory of configuration files has the highest precedence?
- A . $SFLUNK_KOME/etc/system/local
- B . $SPLUNK_KCME/etc/system/default
- C . $SPLUNK_HCME/etc/apps/app1/local
- D . $SPLUNK HCME/etc/users/admin/local
D
Explanation:
Adding further clarity and quoting same Splunk reference URL from @giubal"
"To keep configuration settings consistent across peer nodes, configuration files are managed from the cluster master, which pushes the files to the slave-app directories on the peer nodes. Files in the slave-app directories have the highest precedence in a cluster peer’s configuration. Here is the expanded precedence order for cluster peers:
During search time, which directory of configuration files has the highest precedence?
- A . $SFLUNK_KOME/etc/system/local
- B . $SPLUNK_KCME/etc/system/default
- C . $SPLUNK_HCME/etc/apps/app1/local
- D . $SPLUNK HCME/etc/users/admin/local
D
Explanation:
Adding further clarity and quoting same Splunk reference URL from @giubal"
"To keep configuration settings consistent across peer nodes, configuration files are managed from the cluster master, which pushes the files to the slave-app directories on the peer nodes. Files in the slave-app directories have the highest precedence in a cluster peer’s configuration. Here is the expanded precedence order for cluster peers:
During search time, which directory of configuration files has the highest precedence?
- A . $SFLUNK_KOME/etc/system/local
- B . $SPLUNK_KCME/etc/system/default
- C . $SPLUNK_HCME/etc/apps/app1/local
- D . $SPLUNK HCME/etc/users/admin/local
D
Explanation:
Adding further clarity and quoting same Splunk reference URL from @giubal"
"To keep configuration settings consistent across peer nodes, configuration files are managed from the cluster master, which pushes the files to the slave-app directories on the peer nodes. Files in the slave-app directories have the highest precedence in a cluster peer’s configuration. Here is the expanded precedence order for cluster peers:
During search time, which directory of configuration files has the highest precedence?
- A . $SFLUNK_KOME/etc/system/local
- B . $SPLUNK_KCME/etc/system/default
- C . $SPLUNK_HCME/etc/apps/app1/local
- D . $SPLUNK HCME/etc/users/admin/local
D
Explanation:
Adding further clarity and quoting same Splunk reference URL from @giubal"
"To keep configuration settings consistent across peer nodes, configuration files are managed from the cluster master, which pushes the files to the slave-app directories on the peer nodes. Files in the slave-app directories have the highest precedence in a cluster peer’s configuration. Here is the expanded precedence order for cluster peers:
Within props. conf, which stanzas are valid for data modification? (select all that apply)
- A . Host
- B . Server
- C . Source
- D . Sourcetype
ACD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf
"* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts." https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec
Within props. conf, which stanzas are valid for data modification? (select all that apply)
- A . Host
- B . Server
- C . Source
- D . Sourcetype
ACD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf
"* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts." https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec
Within props. conf, which stanzas are valid for data modification? (select all that apply)
- A . Host
- B . Server
- C . Source
- D . Sourcetype
ACD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf
"* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts." https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec
Within props. conf, which stanzas are valid for data modification? (select all that apply)
- A . Host
- B . Server
- C . Source
- D . Sourcetype
ACD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf
"* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts." https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec
Within props. conf, which stanzas are valid for data modification? (select all that apply)
- A . Host
- B . Server
- C . Source
- D . Sourcetype
ACD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf
"* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts." https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec
Within props. conf, which stanzas are valid for data modification? (select all that apply)
- A . Host
- B . Server
- C . Source
- D . Sourcetype
ACD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf
"* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts." https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec
Within props. conf, which stanzas are valid for data modification? (select all that apply)
- A . Host
- B . Server
- C . Source
- D . Sourcetype
ACD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf
"* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts." https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec
Within props. conf, which stanzas are valid for data modification? (select all that apply)
- A . Host
- B . Server
- C . Source
- D . Sourcetype
ACD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf
"* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts." https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec
Within props. conf, which stanzas are valid for data modification? (select all that apply)
- A . Host
- B . Server
- C . Source
- D . Sourcetype
ACD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf
"* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts." https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec
Within props. conf, which stanzas are valid for data modification? (select all that apply)
- A . Host
- B . Server
- C . Source
- D . Sourcetype
ACD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec https://docs.splunk.com/Documentation/Splunk/8.1.1/Admin/Propsconf
"* Reuse of the same field-extracting regular expression across multiple sources, source types, or hosts." https://docs.splunk.com/Documentation/Splunk/8.0.4/Admin/Propsconf#props.conf.spec
Authentication Granted
6 Log into Splunk
Explanation:
Using the provided DUO/Splunk reference URL https://duo.com/docs/splunk
Scroll down to the Network Diagram section and note the following 6 similar steps
1 – SPlunk connection initiated
2 – Primary authentication
3 – Splunk connection established to Duo Security over TCP port 443
4 – Secondary authentication via Duo Security’s service
5 – Splunk receives authentication response
6 – Splunk session logged in.
Where can scripts for scripted inputs reside on the host file system? (select all that apply)
- A . $SFLUNK_HOME/bin/scripts
- B . $SPLUNK_HOME/etc/apps/bin
- C . $SPLUNK_HOME/etc/system/bin
- D . $SPLUNK_HOME/etc/apps/<your_app>/bin_
ACD
Explanation:
"Where to place the scripts for scripted inputs. The script that you refer to in $SCRIPT can reside in only one of the following places on the host file system:
$SPLUNK_HOME/etc/system/bin
$SPLUNK_HOME/etc/apps/<your_App>/bin
$SPLUNK_HOME/bin/scripts
As a best practice, put your script in the bin/ directory that is nearest to the inputs.conf file that calls your script on the host file system."
How does the Monitoring Console monitor forwarders?
- A . By pulling internal logs from forwarders.
- B . By using the forwarder monitoring add-on
- C . With internal logs forwarded by forwarders.
- D . With internal logs forwarded by deployment server.
C
Explanation:
Quoting the following Splunk URL reference
https://docs.splunk.com/Documentation/Splunk/8.2.2/DMC/DMCprerequisites "Monitoring Console setup prerequisites. Forward internal logs (both $SPLUNK_HOME/car/log/splunk and $SPLUNK_HOME/var/log/introspection) to indexers from all other components. Without this step, many dashboards will lack data."
What options are available when creating custom roles? (select all that apply)
- A . Restrict search terms
- B . Whitelist search terms
- C . Limit the number of concurrent search jobs
- D . Allow or restrict indexes that can be searched.
ACD
Explanation:
https://docs.splunk.com/Documentation/SplunkCloud/8.2.2106/Admin/ConcurrentLimits
"Set limits for concurrent scheduled searches. You must have the edit_search_concurrency_all and edit_search_concurrency_scheduled capabilities to configure these settings."
Which of the following are supported options when configuring optional network inputs?
- A . Metadata override, sender filtering options, network input queues (quantum queues)
- B . Metadata override, sender filtering options, network input queues (memory/persistent queues)
- C . Filename override, sender filtering options, network output queues (memory/persistent queues)
- D . Metadata override, receiver filtering options, network input queues (memory/persistent queues)
B
Explanation:
https://docs.splunk.com/Documentation/Splunk/latest/Data/Monitornetworkports
What is the default character encoding used by Splunk during the input phase?
- A . UTF-8
- B . UTF-16
- C . EBCDIC
- D . ISO 8859
A
Explanation:
https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configurecharactersetencoding
"Configure character set encoding. Splunk software attempts to apply UTF-8 encoding to your scources by default. If a source foesn’t use UTF-8 encoding or is a non-ASCII file, Splunk software tries to convert data from the source to UTF-8 encoding unless you specify a character set to use by setting the CHARSET key in the props.conf file."
Which of the following enables compression for universal forwarders in outputs. conf?
A)
B)
C)
D)
- A . Option A
- B . Option B
- C . Option C
- D . Option D
B
Explanation:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Outputsconf
# Compression
#
# This example sends compressed events to the remote indexer.
# NOTE: Compression can be enabled TCP or SSL outputs only.
# The receiver input port should also have compression enabled. [tcpout]
server = splunkServer.example.com:4433
compressed = true
User role inheritance allows what to be inherited from the parent role? (select all that apply)
- A . Parents
- B . Capabilities
- C . Index access
- D . Search history
BC
Explanation:
https://docs.splunk.com/Documentation/Splunk/latest/Security/Aboutusersandroles#Role_inheritance
https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Aboutusersandroles#How_users_inherit_capabilities
Which of the following statements apply to directory inputs? {select all that apply)
- A . All discovered text files are consumed.
- B . Compressed files are ignored by default
- C . Splunk recursively traverses through the directory structure.
- D . When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.
How would you configure your distsearch conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_setver_group=HOUSTON
A)
B)
C)
D)
- A . option A
- B . Option B
- C . Option C
- D . Option D
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.3/DistSearch/Distributedsearchgroups
Which of the following is valid distribute search group?
A)
B)
C)
D)
- A . option A
- B . Option B
- C . Option C
- D . Option D
Local user accounts created in Splunk store passwords in which file?
- A . $ SFLUNK_HOME/etc/passwd
- B . $ SFLUNK_HOME/etc/authentication
- C . $ SPLUNK_HOME/etc/users/passwd.conf
- D . $ SPLUNK HOME/etc/users/authentication.conf
A
Explanation:
Per the provided reference URL https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/User-seedconf
"To set the default username and password, place user-seed.conf in
$SPLUNK_HOME/etc/system/local. You must restart Splunk to enable configurations. If the
$SPLUNK_HOME/etc/passwd file is present, the settings in this file (user-seed.conf) are not used."
For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?
- A . True
- B . False
- C . <regex string>
- D . Newline Character
B
Explanation:
https://docs.splunk.com/Documentation/Splunk/latest/Data/Configureeventlinebreaking
Attribute: SHOULD_LINEMERGE = [true|false]
Description: When set to true, the Splunk platform combines several input lines into a single event, with configuration based on the settings described in the next section.
Which Splunk component does a search head primarily communicate with?
- A . Indexer
- B . Forwarder
- C . Cluster master
- D . Deployment server
Which layers are involved in Splunk configuration file layering? (select all that apply)
- A . App context
- B . User context
- C . Global context
- D . Forwarder context
ABC
Explanation:
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles
To determine the order of directories for evaluating configuration file precedence, Splunk software considers each file’s context. Configuration files operate in either a global context or in the context of the current app and user: Global. Activities like indexing take place in a global context. They are independent of any app or user. For example, configuration files that determine monitoring or indexing behavior occur outside of the app and user context and are global in nature. App/user. Some activities, like searching, take place in an app or user context. The app and user context is vital to search-time processing, where certain knowledge objects or actions might be valid only for specific users in specific apps.
Which of the following are methods for adding inputs in Splunk? (select all that apply)
- A . CLI
- B . Splunk Web
- C . Editing inputs. conf
- D . Editing monitor. conf
ABC
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Configureyourinputs
Add your data to Splunk Enterprise. With Splunk Enterprise, you can add data using Splunk Web or Splunk Apps. In addition to these methods, you also can use the following methods. -The Splunk Command Line Interface (CLI) -The inputs.conf configuration file. When you specify your inputs with Splunk Web or the CLI, the details are saved in a configuartion file on Splunk Enterprise indexer and heavy forwarder instances.
Which of the following authentication types requires scripting in Splunk?
- A . ADFS
- B . LDAP
- C . SAML
- D . RADIUS
D
Explanation:
https://answers.splunk.com/answers/131127/scripted-authentication.html
Scripted Authentication: An option for Splunk Enterprise authentication. You can use an authentication system that you have in place (such as PAM or RADIUS) by configuring authentication.conf to use a script instead of using LDAP or Splunk Enterprise default authentication.
Which option accurately describes the purpose of the HTTP Event Collector (HEC)?
- A . A token-based HTTP input that is secure and scalable and that requires the use of forwarders
- B . A token-based HTTP input that is secure and scalable and that does not require the use of forwarders.
- C . An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.
- D . A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.
B
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/UsetheHTTPEventCollector
"The HTTP Event Collector (HEC) lets you send data and application events to a Splunk deployment over the HTTP and Secure HTTP (HTTPS) protocols. HEC uses a token-based authentication model. You can generate a token and then configure a logging library or HTTP client with the token to send data to HEC in a specific format. This process eliminates the need for a Splunk forwarder when you send application events."
What is the difference between the two wildcards … and – for the monitor stanza in inputs, conf?
- A . … is not supported in monitor stanzas
- B . There is no difference, they are interchangable and match anything beyond directory boundaries.
- C . * matches anything in that specific directory path segment, whereas … recurses through subdirectories as well.
- D . … matches anything in that specific directory path segment, whereas – recurses through subdirectories as well.
C
Explanation:
https://docs.splunk.com/Documentation/Splunk/7.3.0/Data/Specifyinputpathswithwildcards
… The ellipsis wildcard searches recursively through directories and any number of levels of subdirectories to find matches.
If you specify a folder separator (for example, //var/log/…/file), it does not match the first folder level, only subfolders.
* The asterisk wildcard matches anything in that specific folder path segment. Unlike …, * does not recurse through subfolders.
What type of data is counted against the Enterprise license at a fixed 150 bytes per event?
- A . License data
- B . Metricsdata
- C . Internal Splunk data
- D . Internal Windows logs
Which valid bucket types are searchable? (select all that apply)
- A . Hot buckets
- B . Cold buckets
- C . Warm buckets
- D . Frozen buckets
ABC
Explanation:
Hot/warm/cold/thawed bucket types are searchable. Frozen isn’t searchable because its either deleted at that state or archived.
How do you remove missing forwarders from the Monitoring Console?
- A . By restarting Splunk.
- B . By rescanning active forwarders.
- C . By reloading the deployment server.
- D . By rebuilding the forwarder asset table.
Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?
- A . Any OS platform
- B . Linux platform only
- C . Windows platform only.
- D . None of the above.
A
Explanation:
"The forwarder/indexer relationship can be considered platform agnostic (within the sphere of supported platforms) because they exchange their data handshake (and the data, if you wish) over TCP.
What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?
- A . REGEX, DEST. FORMAT
- B . REGEX. SRC_KEY, FORMAT
- C . REGEX, DEST_KEY, FORMAT
- D . REGEX, DEST_KEY FORMATTING
C
Explanation:
REGEX = <regular expression>
* Enter a regular expression to operate on your data.
FORMAT = <string>
* NOTE: This option is valid for both index-time and search-time field extraction. Index-time field extraction configuration require the FORMAT settings. The FORMAT settings is optional for search-time field extraction configurations.
* This setting specifies the format of the event, including any field names or values you want to add.
DEST_KEY = <key>
* NOTE: This setting is only valid for index-time field extractions.
* Specifies where SPLUNK software stores the expanded FORMAT results in accordance with the REGEX match.
Which of the following indexes come pre-configured with Splunk Enterprise? (select all that apply)
- A . _license
- B . _lnternal
- C . _external
- D . _thefishbucket
BD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.5/Indexer/Howindexingworks
How often does Splunk recheck the LDAP server?
- A . Every 5 minutes
- B . Each time a user logs in
- C . Each time Splunk is restarted
- D . Varies based on LDAP_refresh setting.
B
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.0.6/Security/ManageSplunkuserroleswithLDAP
Where are license files stored?
- A . $SPLUNK_HOME/etc/secure
- B . $SPLUNK_HOME/etc/system
- C . $SPLUNK_HOME/etc/licenses
- D . $SPLUNK_HOME/etc/apps/licenses
In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?
- A . To ensure that hot buckets are still open for writes and have not been forced to roll to a cold state
- B . To ensure that configuration files have not been tampered with for auditing and/or legal purposes
- C . To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
- D . To ensure that data has not been tampered with for auditing and/or legal purposes
Which Splunk component performs indexing and responds to search requests from the search head?
- A . Forwarder
- B . Search peer
- C . License master
- D . Search head cluster
B
Explanation:
https://docs.splunk.com/Splexicon:Searchpeer
"A Splunk platform instance that responses to search requests from a search head. The term "Search peer" is usually synonymous with the indexer role in a distributed search topology…"
When deploying apps, which attribute in the forwarder management interface determines the apps
that clients install?
- A . App Class
- B . Client Class
- C . Server Class
- D . Forwarder Class
C
Explanation:
<https://docs.splunk.com/Documentation/Splunk/8.0.6/Updating/Deploymentserverarchitecture>
https://docs.splunk.com/Splexicon:Serverclass
In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing.
Event example:
Which value would fit best?
- A . MAX_TIMESTAMP_L0CKAHEAD = 5
- B . MAX_TIMESTAMP_LOOKAHEAD – 10
- C . MAX_TIMESTAMF_LOOKHEAD = 20
- D . MAX TIMESTAMP LOOKAHEAD – 30
D
Explanation:
https://docs.splunk.com/Documentation/Splunk/6.2.0/Data/Configuretimestamprecognition "Specify how far (how many characters) into an event Splunk software should look for a timestamp." since TIME_PREFIX = ^ and timestamp is from 0-29 position, so D=30 will pick up the WHOLE timestamp correctly.
Which of the following are required when defining an index in indexes. conf? (select all that apply)
- A . coldPath
- B . homePath
- C . frozenPath
- D . thawedPath
ABD
Explanation:
homePath = $SPLUNK_DB/hatchdb/db
coldPath = $SPLUNK_DB/hatchdb/colddb
thawedPath = $SPLUNK_DB/hatchdb/thaweddb
https://docs.splunk.com/Documentation/Splunk/latest/Admin/Indexesconf
https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS
Which of the following apply to how distributed search works? (select all that apply)
- A . The search head dispatches searches to the peers
- B . The search peers pull the data from the forwarders.
- C . Peers run searches in parallel and return their portion of results.
- D . The search head consolidates the individual results and prepares reports
ACD
Explanation:
Users log on to the search head and run reports: C The search head dispatches searches to the peers
C Peers run searches in parallel and return their portion of results C The search head consolidates the individual results and prepares reports
What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?
- A . Disk
- B . CPUs
- C . Memory
- D . Network interface cards
B
Explanation:
https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/SHCarchitecture
Scroll down to section titled, How the cluster handles concurrent search quotas, "Overall search quota. This quota determines the maximum number of historical searches (combined scheduled and ad hoc) that the cluster can run concurrently. This quota is configured with max_Searches_per_cpu and related settings in limits.conf."
Which authentication methods are natively supported within Splunk Enterprise? (select all that apply)
- A . LDAP
- B . SAML
- C . RADIUS
- D . Duo Multifactor Authentication
ABC
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/SetupuserauthenticationwithSplunk
Splunk authentication: Provides Admin, Power and User by default, and you can define your own roles using a list of capabilities. If you have an Enterprise license, Splunk authentication is enabled by default. See Set up user authentication with Splunk’s built-in system for more information. LDAP: Splunk Enterprise supports authentication with its internal authentication services or your existing LDAP server. See Set up user authentication with LDAP for more information. Scripted authentication API: Use scripted authentication to integrate Splunk authentication with an external authentication system, such as RADIUS or PAM. See Set up user authentication with external systems for more information. Note: Authentication, including native authentication, LDAP, and scripted authentication, is not available in Splunk Free.
Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)
- A . props.conf
- B . inputs.conf
- C . rawdata.conf
- D . transforms.conf
AD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.1.1/Knowledge/Configureadvancedextractionswithfieldtransforms
use transformations with props.conf and transforms.conf to:
C Mask or delete raw data as it is being indexed COverride sourcetype or host based upon event values
C Route events to specific indexes based on event content
C Prevent unwanted events from being indexed
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Configuretimestamprecognition
What conf file needs to be edited to set up distributed search groups?
- A . props.conf
- B . search.conf
- C . distsearch.conf
- D . distibutedsearch.conf
C
Explanation:
"You can group your search peers to facilitate searching on a subset of them. Groups of search peers are known as "distributed search groups." You specify distributed search groups in the distsearch.conf file"
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/Distributedsearchgroups
After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?
- A . index=main
- B . index=test
- C . index=summary
- D . index=_internal
D
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Validateyourconfiguration
Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that apply.)
- A . Index once.
- B . Monitor interval.
- C . On-demand monitor.
- D . Continuously monitor.
AD
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.2.2/Data/Howdoyouwanttoadddata
The fastest way to add data to your Splunk Cloud instance or Splunk Enterprise deployment is to use Splunk Web. After you access the Add Data page, choose one of three options for getting data into your Splunk platform deployment with Splunk Web: (1) Upload, (2) Monitor, (3) Forward The Upload option lets you upload a file or archive of files for indexing. When you choose Upload option, Splunk Web opens the upload process page. Monitor. For Splunk Enterprise installations, the Monitor option lets you monitor one or more files, directories, network streams, scripts, Event Logs (on Windows hosts only), performance metrics, or any other type of machine data that the Splunk Enterprise instance has access to.
Which is a valid stanza for a network input?
- A . [udp://172.16.10.1:9997] connection = dns sourcetype = dns
- B . [any://172.16.10.1:10001] connection_host = ip sourcetype = web
- C . [tcp://172.16.10.1:9997] connection_host = web sourcetype = web
- D . [tcp://172.16.10.1:10001] connection_host = dns sourcetype = dns
D
Explanation:
https://docs.splunk.com/Documentation/Splunk/8.1.1/Data/Monitornetworkports
Reference: https://docs.splunk.com/Documentation/SplunkCloud/8.0.2006/Data/Bypassautomaticsourcetypeassignment
Which additional component is required for a search head cluster?
- A . Deployer
- B . Cluster Master
- C . Monitoring Console
- D . Management Console
A
Explanation:
Reference:
https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/SHCdeploymentoverview
The deployer. This is a Splunk Enterprise instance that distributes apps and other configurations to the cluster members. It stands outside the cluster and cannot run on the same instance as a cluster member. It can, however, under some circumstances, reside on the same instance as other Splunk Enterprise components, such as a deployment server or an indexer cluster master node.
When are knowledge bundles distributed to search peers?
- A . After a user logs in.
- B . When Splunk is restarted.
- C . When adding a new search peer.
- D . When a distributed search is initiated.
D
Explanation:
"The search head replicates the knowledge bundle periodically in the background or when initiating a search. " "As part of the distributed search process, the search head replicates and distributes its knowledge objects to its search peers, or indexers. Knowledge objects include saved searches, event types, and other entities used in searching accorss indexes. The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf."
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/Whatsearchheadssend
Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is cleaned and now the data must be reindexed.
What other index must be cleaned to reset the input checkpoint information for that file?
- A . _audit
- B . _checkpoint
- C . _introspection
- D . _thefishbucket
D
Explanation:
–reset Reset the fishbucket for the given key or file in the btree. Resetting the checkpoint for an active monitor input reindexes data, resulting in increased license use. https://docs.splunk.com/Documentation/Splunk/8.1.1/Troubleshooting/Commandlinetoolsforusewi thSupport
Reference: http://docshare02.docshare.tips/files/4773/47733589.pdf
If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component would the fishbucket need to be reset in order to reindex the data?
- A . Indexer
- B . Forwarder
- C . Search head
- D . Deployment server
A
Explanation:
https://www.splunk.com/en_us/blog/tips-and-tricks/what-is-this-fishbucket-thing.html "Every Splunk instance has a fishbucket index, except the lightest of hand-tuned lightweight forwarders, and if you index a lot of files it can get quite large. As any other index, you can change the retention policy to control the size via indexes.conf"
Reference https://community.splunk.com/t5/Archive/How-to-reindex-data-from-a-forwarder/td-p/93310
How can native authentication be disabled in Splunk?
- A . Remove the $SPLUNK_HOME/etc/passwd file
- B . Create an empty $SPLUNK_HOME/etc/passwd file
- C . Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf
- D . Set nativeAuthentication=false in authentication.conf
B
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/Security/Secureyouradminaccount