Question 1

Configurations from the deployer are merged into which location on the search head cluster member?

Accepted Answer

A)  SPLUNK_HOME/etc/system/local 
B)  SPLUNK_HOME/etc/apps/APP_HOME/local 
C)  SPLUNK_HOME/etc/apps/search/default 
D)  SPLUNK_HOME/etc/apps/APP_HOME/default 
A)  SPLUNK_HOME/etc/system/local 
B)  SPLUNK_HOME/etc/apps/APP_HOME/local 
C)  SPLUNK_HOME/etc/apps/search/default 
D)  SPLUNK_HOME/etc/apps/APP_HOME/default A

Question 2

The frequency in which a deployment client contacts the deployment server is controlled by what?

Accepted Answer

A)  polling_interval attribute in outputs.conf polling_interval attribute in outputs.conf 
B)  p honeHomeIntervalInSecs attribute in outputs.conf p honeHomeIntervalInSecs 
C)  polling_interval attribute in deploymentclient.conf deploymentclient.conf 
D)  phoneHomeIntervalInSecs attribute in deploymentclient.conf phoneHomeIntervalInSecs 
A)  polling_interval attribute in outputs.conf polling_interval attribute in outputs.conf 
B)  p honeHomeIntervalInSecs attribute in outputs.conf p honeHomeIntervalInSecs 
C)  polling_interval attribute in deploymentclient.conf deploymentclient.conf 
D)  phoneHomeIntervalInSecs attribute in deploymentclient.conf phoneHomeIntervalInSecs D

Question 3

Which of the following is an indexer clustering requirement?

Accepted Answer

A)  Must use shared storage. 
B)  Must reside on a dedicated rack. 
C)  Must have at least three members. 
D)  Must share the same license pool. 
A)  Must use shared storage. 
B)  Must reside on a dedicated rack. 
C)  Must have at least three members. 
D)  Must share the same license pool. D

Question 4

Which search will show all deployment client messages from the client (UF)?

Accepted Answer

A) index=_audit component=DC* host= | stats count by message B) index=_audit component=DC* host= | stats count by message C) index=_internal component= DC* host= | stats count by message D) index=_internal component=DS* host= | stats count by message A) index=_audit component=DC* host= | stats count by message B) index=_audit component=DC* host= | stats count by message C) index=_internal component= DC* host= | stats count by message D) index=_internal component=DS* host= | stats count by message

Question 5

Before users can use a KV store, an admin must create a collection. Where is a collection is defined?

Accepted Answer

A)  kvstore.conf 
B)  collection.conf 
C)  collections.conf 
D)  kvcollections.conf 
A)  kvstore.conf 
B)  collection.conf 
C)  collections.conf 
D)  kvcollections.conf

Question 6

In search head clustering, which of the following methods can you use to transfer captaincy to a different member? (Select all that apply.)

Accepted Answer

A)  Use the Monitoring Console. 
B)  Use the Search Head Clustering settings menu from Splunk Web on any member. 
C)  Run the splunk transfer shcluster-captain command from the current captain. Run the splunk transfer shcluster-captain command from the current captain. 
D)  Run the splunk transfer shcluster-captain command from the member you would like to become the captain. command from the member you would like to become the captain. 
A)  Use the Monitoring Console. 
B)  Use the Search Head Clustering settings menu from Splunk Web on any member. 
C)  Run the splunk transfer shcluster-captain command from the current captain. Run the splunk transfer shcluster-captain command from the current captain. 
D)  Run the splunk transfer shcluster-captain command from the member you would like to become the captain. command from the member you would like to become the captain.

Question 7

A multi-site indexer cluster can be configured using which of the following? (Select all that apply.)

Accepted Answer

A)  Via Splunk Web. 
B)  Directly edit SPLUNK_HOME/etc/system/local/server.conf Directly edit SPLUNK_HOME/etc/system/local/server.conf 
C)  Run a splunk edit cluster-config command from the CLI. Run a splunk edit cluster-config command from the CLI. 
D)  Directly edit SPLUNK_HOME/etc/system/default/server.conf SPLUNK_HOME/etc/system/default/server.conf 
A)  Via Splunk Web. 
B)  Directly edit SPLUNK_HOME/etc/system/local/server.conf Directly edit SPLUNK_HOME/etc/system/local/server.conf 
C)  Run a splunk edit cluster-config command from the CLI. Run a splunk edit cluster-config command from the CLI. 
D)  Directly edit SPLUNK_HOME/etc/system/default/server.conf SPLUNK_HOME/etc/system/default/server.conf

Question 8

What is a Splunk Job? (Select all that apply.)

Accepted Answer

A)  A user-defined Splunk capability. 
B)  Searches that are subjected to some usage quota. 
C)  A search process kicked off via a report or an alert. 
D)  A child OS process manifested from the splunkd process. 
A)  A user-defined Splunk capability. 
B)  Searches that are subjected to some usage quota. 
C)  A search process kicked off via a report or an alert. 
D)  A child OS process manifested from the splunkd process.

Question 9

Which of the following commands is used to clear the KV store?

Accepted Answer

A)  splunk clean kvstore 
B)  splunk clear kvstore 
C)  splunk delete kvstore 
D)  splunk reinitialize kvstore 
A)  splunk clean kvstore 
B)  splunk clear kvstore 
C)  splunk delete kvstore 
D)  splunk reinitialize kvstore

Question 10

Which of the following will cause the greatest reduction in disk size requirements for a cluster of N indexers running Splunk Enterprise Security?

Accepted Answer

A)  Setting the cluster search factor to N-1. 
B)  Increasing the number of buckets per index. 
C)  Decreasing the data model acceleration range. 
D)  Setting the cluster replication factor to N-1. 
A)  Setting the cluster search factor to N-1. 
B)  Increasing the number of buckets per index. 
C)  Decreasing the data model acceleration range. 
D)  Setting the cluster replication factor to N-1.

Question 11

What does setting site=site0 on all Search Head Cluster members do in a multi-site indexer cluster?

Accepted Answer

A)  Disables search site affinity. 
B)  Sets all members to dynamic captaincy. 
C)  Enables multisite search artifact replication. 
D)  Enables automatic search site affinity discovery. 
A)  Disables search site affinity. 
B)  Sets all members to dynamic captaincy. 
C)  Enables multisite search artifact replication. 
D)  Enables automatic search site affinity discovery.

Question 12

To reduce the captain's work load in a search head cluster, what setting will prevent scheduled searches from running on the captain?

Accepted Answer

A)  adhoc_searchhead = true (on all members) adhoc_searchhead = true (on all members) 
B)  adhoc_searchhead = true (on the current captain) (on the current captain) 
C)  captain_is_adhoc_searchhead = true (on all members) captain_is_adhoc_searchhead = true 
D)  captain_is_adhoc_searchhead = true (on the current captain) 
A)  adhoc_searchhead = true (on all members) adhoc_searchhead = true (on all members) 
B)  adhoc_searchhead = true (on the current captain) (on the current captain) 
C)  captain_is_adhoc_searchhead = true (on all members) captain_is_adhoc_searchhead = true 
D)  captain_is_adhoc_searchhead = true (on the current captain)

Question 13

At which default interval does metrics.log generate a periodic report regarding license utilization?

Accepted Answer

A)  10 seconds 
B)  30 seconds 
C)  60 seconds 
D)  300 seconds 
A)  10 seconds 
B)  30 seconds 
C)  60 seconds 
D)  300 seconds

Question 14

Which of the following statements describe licensing in a clustered Splunk deployment? (Select all that apply.)

Accepted Answer

A)  Free licenses do not support clustering. 
B)  Replicated data does not count against licensing. 
C)  Each cluster member requires its own clustering license. 
D)  Cluster members must share the same license pool and license master. 
A)  Free licenses do not support clustering. 
B)  Replicated data does not count against licensing. 
C)  Each cluster member requires its own clustering license. 
D)  Cluster members must share the same license pool and license master.

Question 15

Which of the following are client filters available in serverclass.conf ? (Select all that apply.)

Accepted Answer

A)  DNS name. 
B)  IP address. 
C)  Splunk server role. 
D)  Platform (machine type). 
A)  DNS name. 
B)  IP address. 
C)  Splunk server role. 
D)  Platform (machine type).

Question 16

Which of the following artifacts are included in a Splunk diag file? (Select all that apply.)

Accepted Answer

A)  OS settings. 
B)  Internal logs. 
C)  Customer data. 
D)  Configuration files. 
A)  OS settings. 
B)  Internal logs. 
C)  Customer data. 
D)  Configuration files.

Question 17

Which server.conf attribute should be added to the master node's file when decommissioning a site in an indexer cluster?

Accepted Answer

A)  site_mappings 
B)  available_sites 
C)  site_search_factor 
D)  site_replication_factor 
A)  site_mappings 
B)  available_sites 
C)  site_search_factor 
D)  site_replication_factor

Question 18

Which CLI command converts a Splunk instance to a license slave?

Accepted Answer

A)  splunk add licenses 
B)  splunk list licenser-slaves 
C)  splunk edit licenser-localslave 
D)  splunk list licenser-localslave 
A)  splunk add licenses 
B)  splunk list licenser-slaves 
C)  splunk edit licenser-localslave 
D)  splunk list licenser-localslave

Question 19

Search dashboards in the Monitoring Console indicate that the distributed deployment is approaching its capacity. Which of the following options will provide the most search performance improvement?

Accepted Answer

A)  Replace the indexer storage to solid state drives (SS
D) . 
B)  Add more search heads and redistribute users based on the search type. 
C)  Look for slow searches and reschedule them to run during an off-peak time. 
D)  Add more search peers and make sure forwarders distribute data evenly across all indexers. 
A)  Replace the indexer storage to solid state drives (SS
D) . 
B)  Add more search heads and redistribute users based on the search type. 
C)  Look for slow searches and reschedule them to run during an off-peak time. 
D)  Add more search peers and make sure forwarders distribute data evenly across all indexers.

Question 20

To improve Splunk performance, parallelIngestionPipeline s setting can be adjusted on which of the following components in the Splunk architecture? (Select all that apply.)

Accepted Answer

A)  Indexers 
B)  Forwarders 
C)  Search head 
D)  Cluster master 
A)  Indexers 
B)  Forwarders 
C)  Search head 
D)  Cluster master

Configurations from the deployer are merged into which location on the search head cluster member?

The frequency in which a deployment client contacts the deployment server is controlled by what?

Which of the following is an indexer clustering requirement?

Which search will show all deployment client messages from the client (UF)?

Before users can use a KV store, an admin must create a collection. Where is a collection is defined?

In search head clustering, which of the following methods can you use to transfer captaincy to a different member? (Select all that apply.)

A multi-site indexer cluster can be configured using which of the following? (Select all that apply.)

What is a Splunk Job? (Select all that apply.)

Which of the following commands is used to clear the KV store?

Which of the following will cause the greatest reduction in disk size requirements for a cluster of N indexers running Splunk Enterprise Security?

What does setting site=site0 on all Search Head Cluster members do in a multi-site indexer cluster?

To reduce the captain's work load in a search head cluster, what setting will prevent scheduled searches from running on the captain?

At which default interval does metrics.log generate a periodic report regarding license utilization?

Which of the following statements describe licensing in a clustered Splunk deployment? (Select all that apply.)

Which of the following are client filters available in serverclass.conf ? (Select all that apply.)

Which of the following artifacts are included in a Splunk diag file? (Select all that apply.)

Which server.conf attribute should be added to the master node's file when decommissioning a site in an indexer cluster?

Which CLI command converts a Splunk instance to a license slave?

Search dashboards in the Monitoring Console indicate that the distributed deployment is approaching its capacity. Which of the following options will provide the most search performance improvement?

To improve Splunk performance, parallelIngestionPipeline s setting can be adjusted on which of the following components in the Splunk architecture? (Select all that apply.)

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters

Exam 5: Splunk Enterprise Security Certified Admin

Configurations from the deployer are merged into which location on the search head cluster member?

The frequency in which a deployment client contacts the deployment server is controlled by what?

Which of the following is an indexer clustering requirement?

Which search will show all deployment client messages from the client (UF)?

Before users can use a KV store, an admin must create a collection. Where is a collection is defined?

In search head clustering, which of the following methods can you use to transfer captaincy to a different member? (Select all that apply.)

A multi-site indexer cluster can be configured using which of the following? (Select all that apply.)

What is a Splunk Job? (Select all that apply.)

Which of the following commands is used to clear the KV store?

Which of the following will cause the greatest reduction in disk size requirements for a cluster of N indexers running Splunk Enterprise Security?

What does setting site=site0 on all Search Head Cluster members do in a multi-site indexer cluster?

To reduce the captain's work load in a search head cluster, what setting will prevent scheduled searches from running on the captain?

At which default interval does metrics.log generate a periodic report regarding license utilization?

Which of the following statements describe licensing in a clustered Splunk deployment? (Select all that apply.)

Which of the following are client filters available in serverclass.conf ? (Select all that apply.)

Which of the following artifacts are included in a Splunk diag file? (Select all that apply.)

Which server.conf attribute should be added to the master node's file when decommissioning a site in an indexer cluster?

Which CLI command converts a Splunk instance to a license slave?

Search dashboards in the Monitoring Console indicate that the distributed deployment is approaching its capacity. Which of the following options will provide the most search performance improvement?

To improve Splunk performance, parallelIngestionPipeline s setting can be adjusted on which of the following components in the Splunk architecture? (Select all that apply.)

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters