Question 1

A customer is migrating their existing Splunk Indexer from an old set of hardware to a new set of indexers. What is the earliest method to migrate the system?

Accepted Answer

A)  1. Add new indexers to the cluster as peers, in the same site (if needed). 2. Ensure new indexers receive common configuration. 3. Decommission old indexers (one at a time) to allow time for CM to fix/migrate buckets to new hardware. 4. Remove all the old indexers from the CM's list. 
B)  1. Add new indexers to the cluster as peers, to a new site. 2. Ensure new indexers receive common configuration from the CM. 
C)  1. Add new indexers to the cluster as peers, in the same site. 2. Update the replication factor by +1 to Instruct the cluster to start replicating to new peers. 3. Allow time for CM to fix/migrate buckets to new hardware. 
D)  1. Add new indexers to the cluster as new site. 2. Update cluster master (CM) server.conf to include the new available site. 4. Remove the old indexers from the CM's list. 2. Update cluster master (CM) server.conf to include the new available site. 
A)  1. Add new indexers to the cluster as peers, in the same site (if needed). 2. Ensure new indexers receive common configuration. 3. Decommission old indexers (one at a time) to allow time for CM to fix/migrate buckets to new hardware. 4. Remove all the old indexers from the CM's list. 
B)  1. Add new indexers to the cluster as peers, to a new site. 2. Ensure new indexers receive common configuration from the CM. 
C)  1. Add new indexers to the cluster as peers, in the same site. 2. Update the replication factor by +1 to Instruct the cluster to start replicating to new peers. 3. Allow time for CM to fix/migrate buckets to new hardware. 
D)  1. Add new indexers to the cluster as new site. 2. Update cluster master (CM) server.conf to include the new available site. 4. Remove the old indexers from the CM's list. 2. Update cluster master (CM) server.conf to include the new available site. B

Question 2

A non-ES customer has a concern about data availability during a disaster recovery event. Which of the following Splunk Validated Architectures (SVAs) would be recommended for that use case?

Accepted Answer

A)  Topology Category Code: M4 
B)  Topology Category Code: M14 
C)  Topology Category Code: C13 
D)  Topology Category Code: C3 
A)  Topology Category Code: M4 
B)  Topology Category Code: M14 
C)  Topology Category Code: C13 
D)  Topology Category Code: C3 B

Question 3

Which command is most efficient in finding the pass4SymmKey of an index cluster?

Accepted Answer

A)  find / -name server.conf -print | grep pass4SymKey 
B)  $SPLUNK_HOME/bin/splunk search | rest splunk_server=local /servicesNS/-/unhash_app/storage/passwords 
C)  $SPLUNK_HOME/bin/splunk btool server list clustering | grep pass4SymmKey 
D)  $SPLUNK_HOME/bin/splunk btool clustering list clustering --debug | grep pass4SymmKey 
A)  find / -name server.conf -print | grep pass4SymKey 
B)  $SPLUNK_HOME/bin/splunk search | rest splunk_server=local /servicesNS/-/unhash_app/storage/passwords 
C)  $SPLUNK_HOME/bin/splunk btool server list clustering | grep pass4SymmKey 
D)  $SPLUNK_HOME/bin/splunk btool clustering list clustering --debug | grep pass4SymmKey D

Question 4

What does Splunk do when it indexes events?

Accepted Answer

A)  Extracts the top 10 fields. 
B)  Extracts metadata fields such as host , source , sourcetype . Extracts metadata fields such as host , source sourcetype . 
C)  Performs parsing, merging, and typing processes on universal forwarders. 
D)  Create report acceleration summaries. 
A)  Extracts the top 10 fields. 
B)  Extracts metadata fields such as host , source , sourcetype . Extracts metadata fields such as host , source sourcetype . 
C)  Performs parsing, merging, and typing processes on universal forwarders. 
D)  Create report acceleration summaries.

Question 5

In a single indexer cluster, where should the Monitoring Console (MC) be installed?

Accepted Answer

A)  Deployer sharing with master cluster. 
B)  License master that has 50 clients or more. 
C)  Cluster master node 
D)  Production Search Head 
A)  Deployer sharing with master cluster. 
B)  License master that has 50 clients or more. 
C)  Cluster master node 
D)  Production Search Head

Question 6

What is the default push mode for a search head cluster deployer app configuration bundle?

Accepted Answer

A)  full 
B)  merge_to_default 
C)  default_only 
D)  local_only 
A)  full 
B)  merge_to_default 
C)  default_only 
D)  local_only

Question 7

What should be considered when running the following CLI commands with a goal of accelerating an index cluster migration to new hardware?

Accepted Answer

A)  Data ingestion rate 
B)  Network latency and storage IOPS 
C)  Distance and location 
D)  SSL data encryption 
A)  Data ingestion rate 
B)  Network latency and storage IOPS 
C)  Distance and location 
D)  SSL data encryption

Question 8

In which of the following scenarios should base configurations be used to provide consistent, repeatable, and supportable configurations?

Accepted Answer

A)  For non-production environments to keep their configurations in sync. 
B)  To ensure every customer has exactly the same base settings. 
C)  To provide settings that do not need to be customized to meet customer requirements. 
D)  To provide settings that can be customized to meet customer requirements. 
A)  For non-production environments to keep their configurations in sync. 
B)  To ensure every customer has exactly the same base settings. 
C)  To provide settings that do not need to be customized to meet customer requirements. 
D)  To provide settings that can be customized to meet customer requirements.

Question 9

Where does the bloomfilter reside?

Accepted Answer

A)  $SPLUNK_HOME/var/lib/splunk/indexfoo/db/db_1553504858_1553504507_8 
B)  $SPLUNK_HOME/var/lib/splunk/indexfoo/db/db_1553504858_1553504507_8/*.tsidx 
C)  $SPLUNK_HOME/var/lib/splunk/fishbucket 
D)  $SPLUNK_HOME/var/lib/splunk/indexfoo/db/db_1553504858_1553504507_8/rawdata 
A)  $SPLUNK_HOME/var/lib/splunk/indexfoo/db/db_1553504858_1553504507_8 
B)  $SPLUNK_HOME/var/lib/splunk/indexfoo/db/db_1553504858_1553504507_8/*.tsidx 
C)  $SPLUNK_HOME/var/lib/splunk/fishbucket 
D)  $SPLUNK_HOME/var/lib/splunk/indexfoo/db/db_1553504858_1553504507_8/rawdata

Question 10

How does Monitoring Console (MC) initially identify the server role(s) of a new Splunk Instance?

Accepted Answer

A)  The MC uses a REST endpoint to query the server. 
B)  Roles are manually assigned within the MC. 
C)  Roles are read from distsearch.conf . Roles are read from distsearch.conf . 
D)  The MC assigns all possible roles by default. 
A)  The MC uses a REST endpoint to query the server. 
B)  Roles are manually assigned within the MC. 
C)  Roles are read from distsearch.conf . Roles are read from distsearch.conf . 
D)  The MC assigns all possible roles by default.

Question 11

In preparation for the deployment of a new environment for a customer, which of the following mappings are correct per PS best practices?

Accepted Answer

A)    
B)    
C)    
D)    
A)    
B)    
C)    
D)

Question 12

A customer has a multisite cluster (two sites, each site in its own data center) and users experiencing a slow response when searches are run on search heads located in either site. The Search Job Inspector shows the delay is being caused by search heads on either site waiting for results to be returned by indexers on the opposing site. The network team has confirmed that there is limited bandwidth available between the two data centers, which are in different geographic locations. Which of the following would be the least expensive and easiest way to improve search performance?

Accepted Answer

A)  Configure site_search_factor to ensure a searchable copy exists in the local site for each search head. Configure site_search_factor to ensure a searchable copy exists in the local site for each search head. 
B)  Move all indexers and search heads in one of the data centers into the same site. 
C)  Install a network pipe with more bandwidth between the two data centers. 
D)  Set the site setting on each indexer in the server.conf clustering stanza to be the same for all indexers regardless of site. Set the site setting on each indexer in the server.conf clustering stanza to be the same for all indexers regardless of site. 
A)  Configure site_search_factor to ensure a searchable copy exists in the local site for each search head. Configure site_search_factor to ensure a searchable copy exists in the local site for each search head. 
B)  Move all indexers and search heads in one of the data centers into the same site. 
C)  Install a network pipe with more bandwidth between the two data centers. 
D)  Set the site setting on each indexer in the server.conf clustering stanza to be the same for all indexers regardless of site. Set the site setting on each indexer in the server.conf clustering stanza to be the same for all indexers regardless of site.

Question 13

A customer's deployment server is overwhelmed with forwarder connections after adding an additional 1000 clients. The default phone home interval is set to 60 seconds. To reduce the number of connection failures to the DS what is recommended?

Accepted Answer

A)  Create a tiered deployment server topology. 
B)  Reduce the phone home interval to 6 seconds. 
C)  Leave the phone home interval at 60 seconds. 
D)  Increase the phone home interval to 600 seconds. 
A)  Create a tiered deployment server topology. 
B)  Reduce the phone home interval to 6 seconds. 
C)  Leave the phone home interval at 60 seconds. 
D)  Increase the phone home interval to 600 seconds.

Question 14

What is the Splunk PS recommendation when using the deployment server and building deployment apps?

Accepted Answer

A)  Carefully design smaller apps with specific configuration that can be reused. 
B)  Only deploy Splunk PS base configurations via the deployment server. 
C)  Use $ SPLUNK_HOME/etc/system/local configurations on forwarders and only deploy TAs via the deployment server. Use $ SPLUNK_HOME/etc/system/local configurations on forwarders and only deploy TAs via the deployment server. 
D)  Carefully design bigger apps containing multiple configs. 
A)  Carefully design smaller apps with specific configuration that can be reused. 
B)  Only deploy Splunk PS base configurations via the deployment server. 
C)  Use $ SPLUNK_HOME/etc/system/local configurations on forwarders and only deploy TAs via the deployment server. Use $ SPLUNK_HOME/etc/system/local configurations on forwarders and only deploy TAs via the deployment server. 
D)  Carefully design bigger apps containing multiple configs.

Question 15

A customer has a search cluster (SHC) of six members split evenly between two data centers (DC). The customer is concerned with network connectivity between the two DCs due to frequent outages. Which of the following is true as it relates to SHC resiliency when a network outage occurs between the two DCs?

Accepted Answer

A)  The SHC will function as expected as the SHC deployer will become the new captain until the network communication is restored. 
B)  The SHC will stop all scheduled search activity within the SHC. 
C)  The SHC will function as expected as the minimum required number of nodes for a SHC is 3. 
D)  The SHC will function as expected as the SHC captain will fall back to previous active captain in the remaining site. 
A)  The SHC will function as expected as the SHC deployer will become the new captain until the network communication is restored. 
B)  The SHC will stop all scheduled search activity within the SHC. 
C)  The SHC will function as expected as the minimum required number of nodes for a SHC is 3. 
D)  The SHC will function as expected as the SHC captain will fall back to previous active captain in the remaining site.

Question 16

The customer has an indexer cluster supporting a wide variety of search needs, including scheduled search, data model acceleration, and summary indexing. Here is an excerpt from the cluster mater's server.conf :   Which strategy represents the minimum and least disruptive change necessary to protect the searchability of the indexer cluster in case of indexer failure?

Accepted Answer

A)  Enable maintenance mode on the CM to prevent excessive fix-up and bring the failed indexer back online. 
B)  Leave replication_factor=2 , increase search_factor=2 and enable summary_replication . Leave replication_factor=2 , increase search_factor=2 and enable summary_replication . 
C)  Convert the cluster to multi-site and modify the server.conf to be site_replication_factor=2 , site _search_factor=2 . Convert the cluster to multi-site and modify the to be site_replication_factor=2 , site _search_factor=2 
D)  Increase replication_factor=3 , search_factor=2 to protect the data, and allow there to always be a searchable copy. Increase replication_factor=3 , to protect the data, and allow there to always be a searchable copy. 
A)  Enable maintenance mode on the CM to prevent excessive fix-up and bring the failed indexer back online. 
B)  Leave replication_factor=2 , increase search_factor=2 and enable summary_replication . Leave replication_factor=2 , increase search_factor=2 and enable summary_replication . 
C)  Convert the cluster to multi-site and modify the server.conf to be site_replication_factor=2 , site _search_factor=2 . Convert the cluster to multi-site and modify the to be site_replication_factor=2 , site _search_factor=2 
D)  Increase replication_factor=3 , search_factor=2 to protect the data, and allow there to always be a searchable copy. Increase replication_factor=3 , to protect the data, and allow there to always be a searchable copy.

Question 17

In the diagrammed environment shown below, the customer would like the data read by the universal forwarders to set an indexed field containing the UF's host name. Where would the parsing configurations need to be installed for this to work?

Accepted Answer

A)  All universal forwarders. 
B)  Only the indexers. 
C)  All heavy forwarders. 
D)  On all parsing Splunk instances. 
A)  All universal forwarders. 
B)  Only the indexers. 
C)  All heavy forwarders. 
D)  On all parsing Splunk instances.

Question 18

A customer is using both internal Splunk authentication and LDAP for user management. If a username exists in both $SPLUNK_HOME/etc/passwd and LDAP, which of the following statements is accurate?

Accepted Answer

A)  The internal Splunk authentication will take precedence. 
B)  Authentication will only succeed if the password is the same in both systems. 
C)  The LDAP user account will take precedence. 
D)  Splunk will error as it does not support overlapping usernames 
A)  The internal Splunk authentication will take precedence. 
B)  Authentication will only succeed if the password is the same in both systems. 
C)  The LDAP user account will take precedence. 
D)  Splunk will error as it does not support overlapping usernames

Question 19

In an environment that has Indexer Clustering, the Monitoring Console (MC) provides dashboards to monitor environment health. As the environment grows over time and new indexers are added, which steps would ensure the MC is aware of the additional indexers?

Accepted Answer

A)  No changes are necessary, the Monitoring Console has self-configuration capabilities. 
B)  Using the MC setup UI, review and apply the changes. 
C)  Remove and re-add the cluster master from the indexer clustering UI page to add new peers, then apply the changes under the MC setup UI. 
D)  Each new indexer needs to be added using the distributed search UI, then settings must be saved under the MC setup UI. 
A)  No changes are necessary, the Monitoring Console has self-configuration capabilities. 
B)  Using the MC setup UI, review and apply the changes. 
C)  Remove and re-add the cluster master from the indexer clustering UI page to add new peers, then apply the changes under the MC setup UI. 
D)  Each new indexer needs to be added using the distributed search UI, then settings must be saved under the MC setup UI.

Question 20

The Splunk Validated Architectures (SVAs) document provides a series of approved Splunk topologies. Which statement accurately describes how it should be used by a customer?

Accepted Answer

A)  Customer should look at the category tables, pick the highest number that their budget permits, then select this design topology as the chosen design. 
B)  Customers should identify their requirements, provisionally choose an approved design that meets them, then consider design principles and best practices to come to an informed design decision. 
C)  Using the guided requirements gathering in the SVAs document, choose a topology that suits requirements, and be sure not to deviate from the specified design. 
D)  Choose an SVA topology code that includes Search Head and Indexer Clustering because it offers the highest level of resilience. 
A)  Customer should look at the category tables, pick the highest number that their budget permits, then select this design topology as the chosen design. 
B)  Customers should identify their requirements, provisionally choose an approved design that meets them, then consider design principles and best practices to come to an informed design decision. 
C)  Using the guided requirements gathering in the SVAs document, choose a topology that suits requirements, and be sure not to deviate from the specified design. 
D)  Choose an SVA topology code that includes Search Head and Indexer Clustering because it offers the highest level of resilience.

A customer is migrating their existing Splunk Indexer from an old set of hardware to a new set of indexers. What is the earliest method to migrate the system?

A non-ES customer has a concern about data availability during a disaster recovery event. Which of the following Splunk Validated Architectures (SVAs) would be recommended for that use case?

Which command is most efficient in finding the pass4SymmKey of an index cluster?

What does Splunk do when it indexes events?

In a single indexer cluster, where should the Monitoring Console (MC) be installed?

What is the default push mode for a search head cluster deployer app configuration bundle?

What should be considered when running the following CLI commands with a goal of accelerating an index cluster migration to new hardware?

In which of the following scenarios should base configurations be used to provide consistent, repeatable, and supportable configurations?

Where does the bloomfilter reside?

How does Monitoring Console (MC) initially identify the server role(s) of a new Splunk Instance?

In preparation for the deployment of a new environment for a customer, which of the following mappings are correct per PS best practices?

A customer's deployment server is overwhelmed with forwarder connections after adding an additional 1000 clients. The default phone home interval is set to 60 seconds. To reduce the number of connection failures to the DS what is recommended?

What is the Splunk PS recommendation when using the deployment server and building deployment apps?

In the diagrammed environment shown below, the customer would like the data read by the universal forwarders to set an indexed field containing the UF's host name. Where would the parsing configurations need to be installed for this to work?

A customer is using both internal Splunk authentication and LDAP for user management. If a username exists in both $SPLUNK_HOME/etc/passwd and LDAP, which of the following statements is accurate?

In an environment that has Indexer Clustering, the Monitoring Console (MC) provides dashboards to monitor environment health. As the environment grows over time and new indexers are added, which steps would ensure the MC is aware of the additional indexers?

The Splunk Validated Architectures (SVAs) document provides a series of approved Splunk topologies. Which statement accurately describes how it should be used by a customer?

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk IT Service Intelligence Certified Admin

Filters

Exam 7: Splunk Core Certified Consultant

A customer is migrating their existing Splunk Indexer from an old set of hardware to a new set of indexers. What is the earliest method to migrate the system?

A non-ES customer has a concern about data availability during a disaster recovery event. Which of the following Splunk Validated Architectures (SVAs) would be recommended for that use case?

Which command is most efficient in finding the pass4SymmKey of an index cluster?

What does Splunk do when it indexes events?

In a single indexer cluster, where should the Monitoring Console (MC) be installed?

What is the default push mode for a search head cluster deployer app configuration bundle?

What should be considered when running the following CLI commands with a goal of accelerating an index cluster migration to new hardware?

In which of the following scenarios should base configurations be used to provide consistent, repeatable, and supportable configurations?

Where does the bloomfilter reside?

How does Monitoring Console (MC) initially identify the server role(s) of a new Splunk Instance?

In preparation for the deployment of a new environment for a customer, which of the following mappings are correct per PS best practices?

A customer's deployment server is overwhelmed with forwarder connections after adding an additional 1000 clients. The default phone home interval is set to 60 seconds. To reduce the number of connection failures to the DS what is recommended?

What is the Splunk PS recommendation when using the deployment server and building deployment apps?

In the diagrammed environment shown below, the customer would like the data read by the universal forwarders to set an indexed field containing the UF's host name. Where would the parsing configurations need to be installed for this to work?

A customer is using both internal Splunk authentication and LDAP for user management. If a username exists in both $SPLUNK_HOME/etc/passwd and LDAP, which of the following statements is accurate?

In an environment that has Indexer Clustering, the Monitoring Console (MC) provides dashboards to monitor environment health. As the environment grows over time and new indexers are added, which steps would ensure the MC is aware of the additional indexers?

The Splunk Validated Architectures (SVAs) document provides a series of approved Splunk topologies. Which statement accurately describes how it should be used by a customer?

Splunk Core Certified User

Splunk Enterprise Certified Admin

Splunk Certified Developer

Splunk Enterprise Certified Architect

Splunk Enterprise Security Certified Admin

Splunk IT Service Intelligence Certified Admin

Filters