Question 1

Which two sections can be expanded using the Search Job Inspector?

Accepted Answer

A)  Execution costs. 
B)  Saved search history. 
C)  Search job properties. 
D)  Optimization suggestions. 
A)  Execution costs. 
B)  Saved search history. 
C)  Search job properties. 
D)  Optimization suggestions.

Question 2

What is the logical first step when starting a deployment plan?

Accepted Answer

A)  Inventory the currently deployed logging infrastructure. 
B)  Determine what apps and use cases will be implemented. 
C)  Gather statistics on the expected adoption of Splunk for sizing. 
D)  Collect the initial requirements for the deployment from all stakeholders. 
A)  Inventory the currently deployed logging infrastructure. 
B)  Determine what apps and use cases will be implemented. 
C)  Gather statistics on the expected adoption of Splunk for sizing. 
D)  Collect the initial requirements for the deployment from all stakeholders.

Question 3

Which Splunk internal index contains license-related events?

Accepted Answer

A)  _audit 
B)  _license 
C)  _internal 
D)  _introspection 
A)  _audit 
B)  _license 
C)  _internal 
D)  _introspection

Question 4

Which of the following statements describe a Search Head Cluster (SHC) captain? (Select all that apply.)

Accepted Answer

A)  Is the job scheduler for the entire SHC. 
B)  Manages alert action suppressions (throttling). 
C)  Synchronizes the member list with the KV store primary. 
D)  Replicates the SHC's knowledge bundle to the search peers. 
A)  Is the job scheduler for the entire SHC. 
B)  Manages alert action suppressions (throttling). 
C)  Synchronizes the member list with the KV store primary. 
D)  Replicates the SHC's knowledge bundle to the search peers.

Question 5

Which of the following statements describe search head clustering? (Select all that apply.)

Accepted Answer

A)  A deployer is required. 
B)  At least three search heads are needed. 
C)  Search heads must meet the high-performance reference server requirements. 
D)  The deployer must have sufficient CPU and network resources to process service requests and push configurations. 
A)  A deployer is required. 
B)  At least three search heads are needed. 
C)  Search heads must meet the high-performance reference server requirements. 
D)  The deployer must have sufficient CPU and network resources to process service requests and push configurations.

Question 6

Splunk Enterprise platform instrumentation refers to data that the Splunk Enterprise deployment logs in the _introspection index. Which of the following logs are included in this index? (Select all that apply.)

Accepted Answer

A)  audit.log 
B)  metrics.log 
C)  disk_objects.log 
D)  resource_usage.log 
A)  audit.log 
B)  metrics.log 
C)  disk_objects.log 
D)  resource_usage.log

Question 7

Which of the following security options must be explicitly configured (i.e. which options are not enabled by default)?

Accepted Answer

A)  Data encryption between Splunk Web and splunkd. 
B)  Certificate authentication between forwarders and indexers. 
C)  Certificate authentication between Splunk Web and search head. 
D)  Data encryption for distributed search between search heads and indexers. 
A)  Data encryption between Splunk Web and splunkd. 
B)  Certificate authentication between forwarders and indexers. 
C)  Certificate authentication between Splunk Web and search head. 
D)  Data encryption for distributed search between search heads and indexers.

Question 8

Which of the following are true statements about Splunk indexer clustering?

Accepted Answer

A)  All peer nodes must run exactly the same Splunk version. 
B)  The master node must run the same or a later Splunk version than search heads. 
C)  The peer nodes must run the same or a later Splunk version than the master node. 
D)  The search head must run the same or a later Splunk version than the peer nodes. 
A)  All peer nodes must run exactly the same Splunk version. 
B)  The master node must run the same or a later Splunk version than search heads. 
C)  The peer nodes must run the same or a later Splunk version than the master node. 
D)  The search head must run the same or a later Splunk version than the peer nodes.

Question 9

In a four site indexer cluster, which configuration stores two searchable copies at the origin site, one searchable copy at site2, and a total of four searchable copies?

Accepted Answer

A)  site_search_factor = origin:2, site1:2, total:4 
B)  site_search_factor = origin:2, site2:1, total:4 
C)  site_replication_factor = origin:2, site1:2, total:4 
D)  site_replication_factor = origin:2, site2:1, total:4 
A)  site_search_factor = origin:2, site1:2, total:4 
B)  site_search_factor = origin:2, site2:1, total:4 
C)  site_replication_factor = origin:2, site1:2, total:4 
D)  site_replication_factor = origin:2, site2:1, total:4

Question 10

To activate replication for an index in an indexer cluster, what attribute must be configured in indexes.conf on all peer nodes?

Accepted Answer

A)  repFactor = 0 
B)  replicate = 0 
C)  repFactor = auto 
D)  replicate = auto 
A)  repFactor = 0 
B)  replicate = 0 
C)  repFactor = auto 
D)  replicate = auto

Question 11

In which phase of the Splunk Enterprise data pipeline are indexed extraction configurations processed?

Accepted Answer

A)  Input 
B)  Search 
C)  Parsing 
D)  Indexing 
A)  Input 
B)  Search 
C)  Parsing 
D)  Indexing

Question 12

A Splunk instance has the following settings in SPLUNK_HOME/etc/system/local/server.conf: [clustering] mode = master replication_factor = 2 pass4SymmKey = password123 Which of the following statements describe this Splunk instance? (Select all that apply.)

Accepted Answer

A)  This is a multi-site cluster. 
B)  This cluster's search factor is 2. 
C)  This Splunk instance needs to be restarted. 
D)  This instance is missing the master_uri attribute. This instance is missing the master_uri attribute. 
A)  This is a multi-site cluster. 
B)  This cluster's search factor is 2. 
C)  This Splunk instance needs to be restarted. 
D)  This instance is missing the master_uri attribute. This instance is missing the master_uri attribute.

Question 13

In a distributed environment, knowledge object bundles are replicated from the search head to which location on the search peer(s)?

Accepted Answer

A)  SPLUNK_HOME/var/lib/searchpeers 
B)  SPLUNK_HOME/var/log/searchpeers 
C)  SPLUNK_HOME/var/run/searchpeers 
D)  SPLUNK_HOME/var/spool/searchpeers 
A)  SPLUNK_HOME/var/lib/searchpeers 
B)  SPLUNK_HOME/var/log/searchpeers 
C)  SPLUNK_HOME/var/run/searchpeers 
D)  SPLUNK_HOME/var/spool/searchpeers

Question 14

What is the minimum reference server specification for a Splunk indexer?

Accepted Answer

A)  12 CPU cores, 12GB RAM, 800 IOPS 
B)  16 CPU cores, 16GB RAM, 800 IOPS 
C)  24 CPU cores, 16GB RAM, 1200 IOPS 
D)  28 CPU cores, 32GB RAM, 1200 IOPS 
A)  12 CPU cores, 12GB RAM, 800 IOPS 
B)  16 CPU cores, 16GB RAM, 800 IOPS 
C)  24 CPU cores, 16GB RAM, 1200 IOPS 
D)  28 CPU cores, 32GB RAM, 1200 IOPS

Question 15

Because Splunk indexing is read/write intensive, it is important to select the appropriate disk storage solution for each deployment. Which of the following statements is accurate about disk storage?

Accepted Answer

A)  High performance SAN should never be used. 
B)  Enable NFS for storing hot and warm buckets. 
C)  The recommended RAID setup is RAID 10 (1 + 0). 
D)  Virtualized environments are usually preferred over bare metal for Splunk indexers. 
A)  High performance SAN should never be used. 
B)  Enable NFS for storing hot and warm buckets. 
C)  The recommended RAID setup is RAID 10 (1 + 0). 
D)  Virtualized environments are usually preferred over bare metal for Splunk indexers.

Question 16

What does the deployer do in a Search Head Cluster (SHC)? (Select all that apply.)

Accepted Answer

A)  Distributes apps to SHC members. 
B)  Bootstraps a clean Splunk install for a SHC. 
C)  Distributes non-search related and manual configuration file changes. 
D)  Distributes runtime knowledge object changes made by users across the SHC. 
A)  Distributes apps to SHC members. 
B)  Bootstraps a clean Splunk install for a SHC. 
C)  Distributes non-search related and manual configuration file changes. 
D)  Distributes runtime knowledge object changes made by users across the SHC.

Question 17

When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to what?

Accepted Answer

A)  Auto 
B)  None 
C)  true 
D)  false 
A)  Auto 
B)  None 
C)  true 
D)  false

Question 18

Which search head cluster component is responsible for pushing knowledge bundles to search peers, replicating configuration changes to search head cluster members, and scheduling jobs across the search head cluster?

Accepted Answer

A)  Master 
B)  Captain 
C)  Deployer 
D)  Deployment server 
A)  Master 
B)  Captain 
C)  Deployer 
D)  Deployment server

Question 19

How does the average run time of all searches relate to the available CPU cores on the indexers?

Accepted Answer

A)  Average run time is independent of the number of CPU cores on the indexers. 
B)  Average run time decreases as the number of CPU cores on the indexers decreases. 
C)  Average run time increases as the number of CPU cores on the indexers decreases. 
D)  Average run time increases as the number of CPU cores on the indexers increases. 
A)  Average run time is independent of the number of CPU cores on the indexers. 
B)  Average run time decreases as the number of CPU cores on the indexers decreases. 
C)  Average run time increases as the number of CPU cores on the indexers decreases. 
D)  Average run time increases as the number of CPU cores on the indexers increases.

Question 20

Which of the following clarification steps should be taken if apps are not appearing on a deployment client? (Select all that apply.)

Accepted Answer

A)  Check serverclass.conf of the deployment server. Check serverclass.conf of the deployment server. 
B)  Check deploymentclient.conf of the deployment client. deploymentclient.conf of the deployment client. 
C)  Check the content of SPLUNK_HOME/etc/apps of the deployment server. Check the content of SPLUNK_HOME/etc/apps 
D)  Search for relevant events in splunkd.log of the deployment server. Search for relevant events in splunkd.log 
A)  Check serverclass.conf of the deployment server. Check serverclass.conf of the deployment server. 
B)  Check deploymentclient.conf of the deployment client. deploymentclient.conf of the deployment client. 
C)  Check the content of SPLUNK_HOME/etc/apps of the deployment server. Check the content of SPLUNK_HOME/etc/apps 
D)  Search for relevant events in splunkd.log of the deployment server. Search for relevant events in splunkd.log

Which two sections can be expanded using the Search Job Inspector?

What is the logical first step when starting a deployment plan?

Which Splunk internal index contains license-related events?

Which of the following statements describe a Search Head Cluster (SHC) captain? (Select all that apply.)

Which of the following statements describe search head clustering? (Select all that apply.)

Splunk Enterprise platform instrumentation refers to data that the Splunk Enterprise deployment logs in the _introspection index. Which of the following logs are included in this index? (Select all that apply.)

Which of the following security options must be explicitly configured (i.e. which options are not enabled by default)?

Which of the following are true statements about Splunk indexer clustering?

In a four site indexer cluster, which configuration stores two searchable copies at the origin site, one searchable copy at site2, and a total of four searchable copies?

To activate replication for an index in an indexer cluster, what attribute must be configured in indexes.conf on all peer nodes?

In which phase of the Splunk Enterprise data pipeline are indexed extraction configurations processed?

A Splunk instance has the following settings in SPLUNK_HOME/etc/system/local/server.conf: [clustering] mode = master replication_factor = 2 pass4SymmKey = password123 Which of the following statements describe this Splunk instance? (Select all that apply.)

In a distributed environment, knowledge object bundles are replicated from the search head to which location on the search peer(s)?

What is the minimum reference server specification for a Splunk indexer?

Because Splunk indexing is read/write intensive, it is important to select the appropriate disk storage solution for each deployment. Which of the following statements is accurate about disk storage?

What does the deployer do in a Search Head Cluster (SHC)? (Select all that apply.)

When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to what?

Which search head cluster component is responsible for pushing knowledge bundles to search peers, replicating configuration changes to search head cluster members, and scheduling jobs across the search head cluster?

How does the average run time of all searches relate to the available CPU cores on the indexers?

Which of the following clarification steps should be taken if apps are not appearing on a deployment client? (Select all that apply.)

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters

Exam 5: Splunk Enterprise Security Certified Admin

Which two sections can be expanded using the Search Job Inspector?

What is the logical first step when starting a deployment plan?

Which Splunk internal index contains license-related events?

Which of the following statements describe a Search Head Cluster (SHC) captain? (Select all that apply.)

Which of the following statements describe search head clustering? (Select all that apply.)

Splunk Enterprise platform instrumentation refers to data that the Splunk Enterprise deployment logs in the _introspection index. Which of the following logs are included in this index? (Select all that apply.)

Which of the following security options must be explicitly configured (i.e. which options are not enabled by default)?

Which of the following are true statements about Splunk indexer clustering?

In a four site indexer cluster, which configuration stores two searchable copies at the origin site, one searchable copy at site2, and a total of four searchable copies?

To activate replication for an index in an indexer cluster, what attribute must be configured in indexes.conf on all peer nodes?

In which phase of the Splunk Enterprise data pipeline are indexed extraction configurations processed?

A Splunk instance has the following settings in SPLUNK_HOME/etc/system/local/server.conf: [clustering] mode = master replication_factor = 2 pass4SymmKey = password123 Which of the following statements describe this Splunk instance? (Select all that apply.)

In a distributed environment, knowledge object bundles are replicated from the search head to which location on the search peer(s)?

What is the minimum reference server specification for a Splunk indexer?

Because Splunk indexing is read/write intensive, it is important to select the appropriate disk storage solution for each deployment. Which of the following statements is accurate about disk storage?

What does the deployer do in a Search Head Cluster (SHC)? (Select all that apply.)

When using the props.conf LINE_BREAKER attribute to delimit multi-line events, the SHOULD_LINEMERGE attribute should be set to what?

Which search head cluster component is responsible for pushing knowledge bundles to search peers, replicating configuration changes to search head cluster members, and scheduling jobs across the search head cluster?

How does the average run time of all searches relate to the available CPU cores on the indexers?

Which of the following clarification steps should be taken if apps are not appearing on a deployment client? (Select all that apply.)

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters