Question 1

Which of the following options can improve reliability of syslog delivery to Splunk? (Select all that apply.)

Accepted Answer

A)  Use TCP syslog. 
B)  Configure UDP inputs on each Splunk indexer to receive data directly. 
C)  Use a network load balancer to direct syslog traffic to active backend syslog listeners. 
D)  Use one or more syslog servers to persist data with a Universal Forwarder to send the data to Splunk indexers. 
A)  Use TCP syslog. 
B)  Configure UDP inputs on each Splunk indexer to receive data directly. 
C)  Use a network load balancer to direct syslog traffic to active backend syslog listeners. 
D)  Use one or more syslog servers to persist data with a Universal Forwarder to send the data to Splunk indexers.

Question 2

What is the default log size for Splunk internal logs?

Accepted Answer

A)  10MB 
B)  20 MB 
C)  25MB 
D)  30MB 
A)  10MB 
B)  20 MB 
C)  25MB 
D)  30MB

Question 3

To optimize the distribution of primary buckets; when does primary rebalancing automatically occur? (Select all that apply.)

Accepted Answer

A)  Rolling restart completes. 
B)  Master node rejoins the cluster. 
C)  Captain joins or rejoins cluster. 
D)  A peer node joins or rejoins the cluster. 
A)  Rolling restart completes. 
B)  Master node rejoins the cluster. 
C)  Captain joins or rejoins cluster. 
D)  A peer node joins or rejoins the cluster.

Question 4

When Splunk indexes data in a non clustered environment, what kind of files does it create by default?

Accepted Answer

A)  Index and .tsidx files. 
B)  Rawdata and index files. 
C)  Compressed and .tsidx files. 
D)  Compressed and meta data files. 
A)  Index and .tsidx files. 
B)  Rawdata and index files. 
C)  Compressed and .tsidx files. 
D)  Compressed and meta data files.

Question 5

Which Splunk tool offers a health check for administrators to evaluate the health of their Splunk deployment?

Accepted Answer

A)  btool 
B)  DiagGen 
C)  SPL Clinic 
D)  Monitoring Console 
A)  btool 
B)  DiagGen 
C)  SPL Clinic 
D)  Monitoring Console

Question 6

A three-node search head cluster is skipping a large number of searches across time. What should be done to increase scheduled search capacity on the search head cluster?

Accepted Answer

A)  Create a job server on the cluster. 
B)  Add another search head to the cluster. 
C)  server.conf captain_is_adhoc_searchhead = true . server.conf captain_is_adhoc_searchhead = true . 
D)  Change limits.conf value for max_searches_per_cpu to a higher value. Change limits.conf value for max_searches_per_cpu to a higher value. 
A)  Create a job server on the cluster. 
B)  Add another search head to the cluster. 
C)  server.conf captain_is_adhoc_searchhead = true . server.conf captain_is_adhoc_searchhead = true . 
D)  Change limits.conf value for max_searches_per_cpu to a higher value. Change limits.conf value for max_searches_per_cpu to a higher value.

Question 7

A search head has successfully joined a single site indexer cluster. Which command is used to configure the same search head to join another indexer cluster?

Accepted Answer

A)  splunk add cluster-config 
B)  splunk add cluster-master 
C)  splunk edit cluster-config 
D)  splunk edit cluster-master 
A)  splunk add cluster-config 
B)  splunk add cluster-master 
C)  splunk edit cluster-config 
D)  splunk edit cluster-master

Question 8

Which of the following tasks should the architect perform when building a deployment plan? (Select all that apply.)

Accepted Answer

A)  Use case checklist. 
B)  Install Splunk apps. 
C)  Inventory data sources. 
D)  Review network topology. 
A)  Use case checklist. 
B)  Install Splunk apps. 
C)  Inventory data sources. 
D)  Review network topology.

Question 9

Which of the following is a best practice to maximize indexing performance?

Accepted Answer

A)  Use automatic sourcetyping. 
B)  Use the Splunk default settings. 
C)  Not use pre-trained source types. 
D)  Minimize configuration generality. 
A)  Use automatic sourcetyping. 
B)  Use the Splunk default settings. 
C)  Not use pre-trained source types. 
D)  Minimize configuration generality.

Question 10

Which command is used for thawing the archive bucket?

Accepted Answer

A)  Splunk collect 
B)  Splunk convert 
C)  Splunk rebuild 
D)  Splunk dbinspect 
A)  Splunk collect 
B)  Splunk convert 
C)  Splunk rebuild 
D)  Splunk dbinspect

Question 11

Which Splunk Enterprise offering has its own license?

Accepted Answer

A)  Splunk Cloud Forwarder 
B)  Splunk Heavy Forwarder 
C)  Splunk Universal Forwarder 
D)  Splunk Forwarder Management 
A)  Splunk Cloud Forwarder 
B)  Splunk Heavy Forwarder 
C)  Splunk Universal Forwarder 
D)  Splunk Forwarder Management

Question 12

In the deployment planning process, when should a person identify who gets to see network data?

Accepted Answer

A)  Deployment schedule 
B)  Topology diagramming 
C)  Data source inventory 
D)  Data policy definition 
A)  Deployment schedule 
B)  Topology diagramming 
C)  Data source inventory 
D)  Data policy definition

Question 13

When Splunk is installed, where are the internal indexes stored by default?

Accepted Answer

A)  SPLUNK_HOME/bin 
B)  SPLUNK_HOME/var/lib 
C)  SPLUNK_HOME/var/run 
D)  SPLUNK_HOME/etc/system/default 
A)  SPLUNK_HOME/bin 
B)  SPLUNK_HOME/var/lib 
C)  SPLUNK_HOME/var/run 
D)  SPLUNK_HOME/etc/system/default

Question 14

Which of the following is a good practice for a search head cluster deployer?

Accepted Answer

A)  The deployer only distributes configurations to search head cluster members when they "phone home". 
B)  The deployer must be used to distribute non-replicable configurations to search head cluster members. 
C)  The deployer must distribute configurations to search head cluster members to be valid configurations. 
D)  The deployer only distributes configurations to search head cluster members with splunk apply shcluster-bundle . The deployer only distributes configurations to search head cluster members with splunk apply shcluster-bundle . 
A)  The deployer only distributes configurations to search head cluster members when they "phone home". 
B)  The deployer must be used to distribute non-replicable configurations to search head cluster members. 
C)  The deployer must distribute configurations to search head cluster members to be valid configurations. 
D)  The deployer only distributes configurations to search head cluster members with splunk apply shcluster-bundle . The deployer only distributes configurations to search head cluster members with splunk apply shcluster-bundle .

Question 15

As a best practice, where should the internal licensing logs be stored?

Accepted Answer

A)  Indexing layer. 
B)  License server. 
C)  Deployment layer. 
D)  Search head layer. 
A)  Indexing layer. 
B)  License server. 
C)  Deployment layer. 
D)  Search head layer.

Question 16

When should multiple search pipelines be enabled?

Accepted Answer

A)  Only if disk IOPS is at 800 or better. 
B)  Only if there are fewer than twelve concurrent users. 
C)  Only if running Splunk Enterprise version 6.6 or later. 
D)  Only if CPU and memory resources are significantly under-utilized. 
A)  Only if disk IOPS is at 800 or better. 
B)  Only if there are fewer than twelve concurrent users. 
C)  Only if running Splunk Enterprise version 6.6 or later. 
D)  Only if CPU and memory resources are significantly under-utilized.

Question 17

The KV store forms its own cluster within a SHC. What is the maximum number of SHC members KV store will form?

Accepted Answer

A)  25 
B)  50 
C)  100 
D)  Unlimited 
A)  25 
B)  50 
C)  100 
D)  Unlimited

Question 18

Which of the following can a Splunk diag contain?

Accepted Answer

A)  Search history, Splunk users and their roles, running processes, indexed data 
B)  Server specs, current open connections, internal Splunk log files, index listings 
C)  KV store listings, internal Splunk log files, search peer bundles listings, indexed data 
D)  Splunk platform configuration details, Splunk users and their roles, current open connections, index listings 
A)  Search history, Splunk users and their roles, running processes, indexed data 
B)  Server specs, current open connections, internal Splunk log files, index listings 
C)  KV store listings, internal Splunk log files, search peer bundles listings, indexed data 
D)  Splunk platform configuration details, Splunk users and their roles, current open connections, index listings

Question 19

When troubleshooting monitor inputs, which command checks the status of the tailed files?

Accepted Answer

A)  splunk cmd btool inputs list | tail 
B)  splunk cmd btool check inputs layer 
C)  curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus 
D)  curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:Tailstatus 
A)  splunk cmd btool inputs list | tail 
B)  splunk cmd btool check inputs layer 
C)  curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:FileStatus 
D)  curl https://serverhost:8089/services/admin/inputstatus/TailingProcessor:Tailstatus

Question 20

Which Splunk server role regulates the functioning of indexer cluster?

Accepted Answer

A)  Indexer 
B)  Deployer 
C)  Master Node 
D)  Monitoring Console 
A)  Indexer 
B)  Deployer 
C)  Master Node 
D)  Monitoring Console

Which of the following options can improve reliability of syslog delivery to Splunk? (Select all that apply.)

What is the default log size for Splunk internal logs?

To optimize the distribution of primary buckets; when does primary rebalancing automatically occur? (Select all that apply.)

When Splunk indexes data in a non clustered environment, what kind of files does it create by default?

Which Splunk tool offers a health check for administrators to evaluate the health of their Splunk deployment?

A three-node search head cluster is skipping a large number of searches across time. What should be done to increase scheduled search capacity on the search head cluster?

A search head has successfully joined a single site indexer cluster. Which command is used to configure the same search head to join another indexer cluster?

Which of the following tasks should the architect perform when building a deployment plan? (Select all that apply.)

Which of the following is a best practice to maximize indexing performance?

Which command is used for thawing the archive bucket?

Which Splunk Enterprise offering has its own license?

In the deployment planning process, when should a person identify who gets to see network data?

When Splunk is installed, where are the internal indexes stored by default?

Which of the following is a good practice for a search head cluster deployer?

As a best practice, where should the internal licensing logs be stored?

When should multiple search pipelines be enabled?

The KV store forms its own cluster within a SHC. What is the maximum number of SHC members KV store will form?

Which of the following can a Splunk diag contain?

When troubleshooting monitor inputs, which command checks the status of the tailed files?

Which Splunk server role regulates the functioning of indexer cluster?

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters

Exam 5: Splunk Enterprise Security Certified Admin

Which of the following options can improve reliability of syslog delivery to Splunk? (Select all that apply.)

What is the default log size for Splunk internal logs?

To optimize the distribution of primary buckets; when does primary rebalancing automatically occur? (Select all that apply.)

When Splunk indexes data in a non clustered environment, what kind of files does it create by default?

Which Splunk tool offers a health check for administrators to evaluate the health of their Splunk deployment?

A three-node search head cluster is skipping a large number of searches across time. What should be done to increase scheduled search capacity on the search head cluster?

A search head has successfully joined a single site indexer cluster. Which command is used to configure the same search head to join another indexer cluster?

Which of the following tasks should the architect perform when building a deployment plan? (Select all that apply.)

Which of the following is a best practice to maximize indexing performance?

Which command is used for thawing the archive bucket?

Which Splunk Enterprise offering has its own license?

In the deployment planning process, when should a person identify who gets to see network data?

When Splunk is installed, where are the internal indexes stored by default?

Which of the following is a good practice for a search head cluster deployer?

As a best practice, where should the internal licensing logs be stored?

When should multiple search pipelines be enabled?

The KV store forms its own cluster within a SHC. What is the maximum number of SHC members KV store will form?

Which of the following can a Splunk diag contain?

When troubleshooting monitor inputs, which command checks the status of the tailed files?

Which Splunk server role regulates the functioning of indexer cluster?

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk IT Service Intelligence Certified Admin

Splunk Core Certified Consultant

Filters