Question 1

What are the minimum required settings when creating a network input in Splunk?

Accepted Answer

A)  Protocol, port number 
B)  Protocol, port, location 
C)  Protocol, username, port 
D)  Protocol, IP, port number 
A)  Protocol, port number 
B)  Protocol, port, location 
C)  Protocol, username, port 
D)  Protocol, IP, port number A

Question 2

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs the following search over the last 24 hours: index=* What field can the administrator check to see the data distribution?

Accepted Answer

A)  host 
B)  index 
C)  linecount 
D)  splunk_server 
A)  host 
B)  index 
C)  linecount 
D)  splunk_server D

Question 3

With authentication methods are natively supported within Splunk Enterprise? (Choose all that apply.)

Accepted Answer

A)  LDAP 
B)  SAML 
C)  RADIUS 
D)  Duo Multifactor Authentication 
A)  LDAP 
B)  SAML 
C)  RADIUS 
D)  Duo Multifactor Authentication A,D

Question 4

Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)

Accepted Answer

A)  inputs.conf 
B)  monitor.conf 
C)  outputs.conf 
D)  forwarder.conf 
A)  inputs.conf 
B)  monitor.conf 
C)  outputs.conf 
D)  forwarder.conf

Question 5

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

Accepted Answer

A)  A token-based HTTP input that is secure and scalable and that requires the use of forwarders. 
B)  A token-based HTTP input that is secure and scalable and that does not require the use of forwarders. 
C)  An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders. 
D)  A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders. 
A)  A token-based HTTP input that is secure and scalable and that requires the use of forwarders. 
B)  A token-based HTTP input that is secure and scalable and that does not require the use of forwarders. 
C)  An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders. 
D)  A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Question 6

The universal forwarder has which capabilities when sending data? (Select all that apply.)

Accepted Answer

A)  Sending alerts 
B)  Compressing data 
C)  Obfuscating/hiding data 
D)  Indexer acknowledgement 
A)  Sending alerts 
B)  Compressing data 
C)  Obfuscating/hiding data 
D)  Indexer acknowledgement

Question 7

On the deployment server, administrators can map clients to server classes using client filters. Which of the following statements is accurate?

Accepted Answer

A)  The blacklist takes precedence over the whitelist. 
B)  The whitelist takes precedence over the blacklist. 
C)  Wildcards are not supported in any client filters. 
D)  Machine type filters are applied before the whitelist and blacklist. 
A)  The blacklist takes precedence over the whitelist. 
B)  The whitelist takes precedence over the blacklist. 
C)  Wildcards are not supported in any client filters. 
D)  Machine type filters are applied before the whitelist and blacklist.

Question 8

Where are license files stored?

Accepted Answer

A)  $SPLUNK_HOME/etc/secure 
B)  $SPLUNK_HOME/etc/system 
C)  $SPLUNK_HOME/etc/licenses 
D)  $SPLUNK_HOME/etc/apps/licenses 
A)  $SPLUNK_HOME/etc/secure 
B)  $SPLUNK_HOME/etc/system 
C)  $SPLUNK_HOME/etc/licenses 
D)  $SPLUNK_HOME/etc/apps/licenses

Question 9

Which of the following are methods for adding inputs in Splunk? (Select all that apply.)

Accepted Answer

A)  CLI 
B)  Splunk Web 
C)  Editing inpits.conf Editing inpits.conf 
D)  Editing monitor.conf monitor.conf 
A)  CLI 
B)  Splunk Web 
C)  Editing inpits.conf Editing inpits.conf 
D)  Editing monitor.conf monitor.conf

Question 10

How can native authentication be disabled in Splunk?

Accepted Answer

A)  Remove the $SPLUNK_HOME/etc/passwd file Remove the $SPLUNK_HOME/etc/passwd file 
B)  Create an empty $SPLUNK_HOME/etc/passwd file Create an empty 
C)  Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf 
D)  Set nativeAuthentication=false in authentication.conf nativeAuthentication=false authentication.conf 
A)  Remove the $SPLUNK_HOME/etc/passwd file Remove the $SPLUNK_HOME/etc/passwd file 
B)  Create an empty $SPLUNK_HOME/etc/passwd file Create an empty 
C)  Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf 
D)  Set nativeAuthentication=false in authentication.conf nativeAuthentication=false authentication.conf

Question 11

How would you configure your distsearch.conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_server_group=HOUSTON

Accepted Answer

A)  [distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] servers = houston1:8089, houston2:8089 
B)  [distributedSearch] servers =nyc1, nyc2, houston1, houston2 servers = nyc1, nyc2 servers = houston1, houston2 
C)  servers =nyc1:8089, nyc2:8089, houston1:8089, houston2:8089 
D)  servers =nyc1:8089; nyc2:8089; houston1:8089; houston2:8089 servers = nyc1:8089; nyc2:8089 servers = houston1:8089; houston2:8089 
A)  [distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] servers = houston1:8089, houston2:8089 
B)  [distributedSearch] servers =nyc1, nyc2, houston1, houston2 servers = nyc1, nyc2 servers = houston1, houston2 
C)  servers =nyc1:8089, nyc2:8089, houston1:8089, houston2:8089 
D)  servers =nyc1:8089; nyc2:8089; houston1:8089; houston2:8089 servers = nyc1:8089; nyc2:8089 servers = houston1:8089; houston2:8089

Question 12

Which is a valid stanza for a network input?

Accepted Answer

A)  [udp://172.16.10.1:9997] connection = dns sourcetype = dns 
B)  [any://172.16.10.1:10001] connection_host = ip sourcetype = web 
C)  [tcp://172.16.10.1:9997] connection_host = web 
D)  [tcp://172.16.10.1:10001] connection_host = dns 
A)  [udp://172.16.10.1:9997] connection = dns sourcetype = dns 
B)  [any://172.16.10.1:10001] connection_host = ip sourcetype = web 
C)  [tcp://172.16.10.1:9997] connection_host = web 
D)  [tcp://172.16.10.1:10001] connection_host = dns

Question 13

Which setting in indexes.conf allows data retention to be controlled by time?

Accepted Answer

A)  maxDaysToKeep 
B)  moveToFrozenAfter 
C)  maxDataRetentionTime 
D)  frozenTimePeriodInSecs 
A)  maxDaysToKeep 
B)  moveToFrozenAfter 
C)  maxDataRetentionTime 
D)  frozenTimePeriodInSecs

Question 14

Within props.conf , which stanzas are valid for data modification? (Choose all that apply.)

Accepted Answer

A)  Host 
B)  Server 
C)  Source 
D)  Sourcetype 
A)  Host 
B)  Server 
C)  Source 
D)  Sourcetype

Question 15

Which of the following statements describe deployment management? (Select all that apply.)

Accepted Answer

A)  Requires an Enterprise license. 
B)  Is responsible for sending apps to forwarders. 
C)  Once used, is the only way to manage forwarders. 
D)  Can automatically restart the host OS running the forwarder. 
A)  Requires an Enterprise license. 
B)  Is responsible for sending apps to forwarders. 
C)  Once used, is the only way to manage forwarders. 
D)  Can automatically restart the host OS running the forwarder.

Question 16

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require multiple indexers. Following best practices, which types of Splunk component instances are needed?

Accepted Answer

A)  Indexers, search head, universal forwarders, license master 
B)  Indexers, search head, deployment server, universal forwarders 
C)  Indexers, search head, deployment server, license master, universal forwarder 
D)  Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder 
A)  Indexers, search head, universal forwarders, license master 
B)  Indexers, search head, deployment server, universal forwarders 
C)  Indexers, search head, deployment server, license master, universal forwarder 
D)  Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Question 17

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

Accepted Answer

A)  props.conf 
B)  inputs.conf 
C)  rawdata.conf 
D)  transforms.conf 
A)  props.conf 
B)  inputs.conf 
C)  rawdata.conf 
D)  transforms.conf

Question 18

What is required when adding a native user to Splunk? (Choose all that apply.)

Accepted Answer

A)  Password 
B)  Username 
C)  Full Name 
D)  Default app 
A)  Password 
B)  Username 
C)  Full Name 
D)  Default app

Question 19

The universal forwarder has which capabilities when sending data? (Choose all that apply.)

Accepted Answer

A)  Sending alerts 
B)  Compressing data 
C)  Obfuscating/hiding data 
D)  Indexer acknowledgement 
A)  Sending alerts 
B)  Compressing data 
C)  Obfuscating/hiding data 
D)  Indexer acknowledgement

Question 20

This file has been manually created on a universal forwarder: /opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf [monitor:///var/log/messages] sourcetype=syslog index=syslog A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file: /opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf [monitor:///var/log/maillog] sourcetype=maillog Which file is now monitored?

Accepted Answer

A)  /var/log/messages 
B)  /var/log/maillog 
C)  /var/log/maillog and /var/log/messages and 
D)  none of the above 
A)  /var/log/messages 
B)  /var/log/maillog 
C)  /var/log/maillog and /var/log/messages and 
D)  none of the above

What are the minimum required settings when creating a network input in Splunk?

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs the following search over the last 24 hours: index=* What field can the administrator check to see the data distribution?

With authentication methods are natively supported within Splunk Enterprise? (Choose all that apply.)

Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

The universal forwarder has which capabilities when sending data? (Select all that apply.)

On the deployment server, administrators can map clients to server classes using client filters. Which of the following statements is accurate?

Where are license files stored?

Which of the following are methods for adding inputs in Splunk? (Select all that apply.)

How can native authentication be disabled in Splunk?

How would you configure your distsearch.conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_server_group=HOUSTON

Which is a valid stanza for a network input?

Which setting in indexes.conf allows data retention to be controlled by time?

Within props.conf , which stanzas are valid for data modification? (Choose all that apply.)

Which of the following statements describe deployment management? (Select all that apply.)

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require multiple indexers. Following best practices, which types of Splunk component instances are needed?

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

What is required when adding a native user to Splunk? (Choose all that apply.)

The universal forwarder has which capabilities when sending data? (Choose all that apply.)

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters

Exam 3: Splunk Certified Developer

What are the minimum required settings when creating a network input in Splunk?

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs the following search over the last 24 hours: index=* What field can the administrator check to see the data distribution?

With authentication methods are natively supported within Splunk Enterprise? (Choose all that apply.)

Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

The universal forwarder has which capabilities when sending data? (Select all that apply.)

On the deployment server, administrators can map clients to server classes using client filters. Which of the following statements is accurate?

Where are license files stored?

Which of the following are methods for adding inputs in Splunk? (Select all that apply.)

How can native authentication be disabled in Splunk?

How would you configure your distsearch.conf to allow you to run the search below? sourcetype=access_combined status=200 action=purchase splunk_server_group=HOUSTON

Which is a valid stanza for a network input?

Which setting in indexes.conf allows data retention to be controlled by time?

Within props.conf , which stanzas are valid for data modification? (Choose all that apply.)

Which of the following statements describe deployment management? (Select all that apply.)

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require multiple indexers. Following best practices, which types of Splunk component instances are needed?

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

What is required when adding a native user to Splunk? (Choose all that apply.)

The universal forwarder has which capabilities when sending data? (Choose all that apply.)

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters