New Year Special Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: buysanta

Exact2Pass Menu

Question # 4

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

A.

splunk btool server list --debug

B.

splunk list forward-indexer

C.

splunk list forward-server

D.

splunk btool indexes list --debug

Full Access
Question # 5

Which of the methods listed below supports muti-factor authentication?

A.

Lightweight Directory Access Protocol (LDAP)

B.

Security Assertion Markup Language (SAML)

C.

Single Sign-on (SSO)

D.

OpenlD

Full Access
Question # 6

The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs

the following search over the last 24 hours:

index=*

What field can the administrator check to see the data distribution?

A.

host

B.

index

C.

linecount

D.

splunk_server

Full Access
Question # 7

In which phase do indexed extractions in props.conf occur?

A.

Inputs phase

B.

Parsing phase

C.

Indexing phase

D.

Searching phase

Full Access
Question # 8

Assume a file is being monitored and the data was incorrectly indexed to an exclusive index. The index is

cleaned and now the data must be reindexed. What other index must be cleaned to reset the input checkpoint

information for that file?

A.

_audit

B.

_checkpoint

C.

_introspection

D.

_thefishbucket

Full Access
Question # 9

What happens when the same username exists in Splunk as well as through LDAP?

A.

Splunk user is automatically deleted from authentication.conf.

B.

LDAP settings take precedence.

C.

Splunk settings take precedence.

D.

LDAP user is automatically deleted from authentication.conf

Full Access
Question # 10

In this example, if useACK is set to true and the maxQueueSize is set to 7MB, what is the size of the wait queue on this universal forwarder?

A.

21MB

B.

28MB

C.

14MB

D.

7MB

Full Access
Question # 11

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that

apply.)

A.

Index once.

B.

Monitor interval.

C.

On-demand monitor.

D.

Continuously monitor.

Full Access
Question # 12

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?

A.

props.conf

B.

inputs.conf

C.

outputs.conf

D.

collections.conf

Full Access
Question # 13

Which of the following are required when defining an index in indexes. conf? (select all that apply)

A.

coldPath

B.

homePath

C.

frozenPath

D.

thawedPath

Full Access
Question # 14

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require

multiple indexers. Following best practices, which types of Splunk component instances are needed?

A.

Indexers, search head, universal forwarders, license master

B.

Indexers, search head, deployment server, universal forwarders

C.

Indexers, search head, deployment server, license master, universal forwarder

D.

Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder

Full Access
Question # 15

A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly to the indexer. Both sets of data require the masking of raw text strings before being written to disk. What does the administrator need to do to

ensure that the masking takes place successfully?

A.

Make sure that props . conf and transforms . conf are both present on the in-dexer and the search head.

B.

For source A, make sure that props . conf is in place on the indexer; and for source B, make sure transforms . conf is present on the Heavy Forwarder.

C.

Make sure that props . conf and transforms . conf are both present on the Universal Forwarder.

D.

Place both props . conf and transforms . conf on the Heavy Forwarder for source A, and place both props . conf and transforms . conf on the indexer for source B.

Full Access
Question # 16

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?

A.

REGEX, DEST. FORMAT

B.

REGEX. SRC_KEY, FORMAT

C.

REGEX, DEST_KEY, FORMAT

D.

REGEX, DEST_KEY FORMATTING

Full Access
Question # 17

When running a real-time search, search results are pulled from which Splunk component?

A.

Heavy forwarders and search peers

B.

Heavy forwarders

C.

Search heads

D.

Search peers

Full Access
Question # 18

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?

A.

On Universal Forwarder, $SPLUNK_HOME/etc/apps

B.

On Deployment Server, $SPLUNK_HOME/etc/apps

C.

On Deployment Server, $SPLUNK_HOME/etc/deployment-apps

D.

On Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps

Full Access
Question # 19

When indexing a data source, which fields are considered metadata?

A.

source, host, time

B.

time, sourcetype, source

C.

host, raw, sourcetype

D.

sourcetype, source, host

Full Access
Question # 20

Where should apps be located on the deployment server that the clients pull from?

A.

$SFLUNK_KOME/etc/apps

B.

$SPLUNK_HCME/etc/sear:ch

C.

$SPLUNK_HCME/etc/master-apps

D.

$SPLUNK HCME/etc/deployment-apps

Full Access
Question # 21

This file has been manually created on a universal forwarder

A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?

A.

/var/log/messages

B.

/var/log/maillog

C.

/var/log/maillog and /var/log/messages

D.

none of the above

Full Access
Question # 22

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

A.

Slash notation

B.

Regular expression

C.

Irregular expression

D.

Wildcard-only expression

Full Access
Question # 23

A company moves to a distributed architecture to meet the growing demand for the use of Splunk. What parameter can be configured to enable automatic load balancing in the

Universal Forwarder to send data to the indexers?

A.

Create one outputs . conf file for each of the server addresses in the indexing tier.

B.

Configure the outputs . conf file to point to any server in the indexing tier and Splunk will configure the data to be sent to all of the indexers.

C.

Splunk does not do load balancing and requires a hardware load balancer to balance traffic across the indexers.

D.

Set the stanza to have a server value equal to a comma-separated list of IP addresses and indexer ports for each of the indexers in the environment.

Full Access
Question # 24

The following stanza is active in indexes.conf:

[cat_facts]

maxHotSpanSecs = 3600

frozenTimePeriodInSecs = 2630000

maxTota1DataSizeMB = 650000

All other related indexes.conf settings are default values.

If the event timestamp was 3739283 seconds ago, will it be searchable?

A.

Yes, only if the bucket is still hot.

B.

No, because the index will have exceeded its maximum size.

C.

Yes, only if the index size is also below 650000 MB.

D.

No, because the event time is greater than the retention time.

Full Access
Question # 25

Immediately after installation, what will a Universal Forwarder do first?

A.

Automatically detect any indexers in its subnet and begin routing data.

B.

Begin reading local files on its server.

C.

Begin generating internal Splunk logs.

D.

Send an email to the operator that the installation process has completed.

Full Access
Question # 26

When using license pools, volume allocations apply to which Splunk components?

A.

Indexers

B.

Indexes

C.

Heavy Forwarders

D.

Search Heads

Full Access
Question # 27

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?

A.

diskQueueSize

B.

durableQueueSize

C persistentOueueSize

C.

queueSize

Full Access
Question # 28

Where are license files stored?

A.

$SPLUNK_HOME/etc/secure

B.

$SPLUNK_HOME/etc/system

C.

$SPLUNK_HOME/etc/licenses

D.

$SPLUNK_HOME/etc/apps/licenses

Full Access
Question # 29

Which setting allows the configuration of Splunk to allow events to span over more than one line?

A.

SHOULD_LINEMERGE = true

B.

BREAK_ONLY_BEFORE_DATE = true

C.

BREAK_ONLY_BEFORE =

D.

SHOULD_LINEMERGE = false

Full Access
Question # 30

Which of the following enables compression for universal forwarders in outputs. conf ?

A)

B)

C)

D)

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 31

Where can scripts for scripted inputs reside on the host file system? (select all that apply)

A.

$SFLUNK_HOME/bin/scripts

B.

$SPLUNK_HOME/etc/apps/bin

C.

$SPLUNK_HOME/etc/system/bin

D.

$S?LUNK_HOME/etc/apps//bin_

Full Access
Question # 32

An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)

A.

bucketdb

B.

frozendb

C.

colddb

D.

db

Full Access
Question # 33

Which of the following types of data count against the license daily quota?

A.

Replicated data

B.

splunkd logs

C.

Summary index data

D.

Windows internal logs

Full Access
Question # 34

In which Splunk configuration is the SEDCMD used?

A.

props, conf

B.

inputs.conf

C.

indexes.conf

D.

transforms.conf

Full Access
Question # 35

Which Splunk component consolidates the individual results and prepares reports in a distributed environment?

A.

Indexers

B.

Forwarder

C.

Search head

D.

Search peers

Full Access
Question # 36

In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?

A.

services/ collector

B.

services/ inputs ? raw

C.

services/ data/ collector

D.

data/ collector

Full Access
Question # 37

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

A.

A token-based HTTP input that is secure and scalable and that requires the use of forwarders

B.

A token-based HTTP input that is secure and scalable and that does not require the use of forwarders.

C.

An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.

D.

A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Full Access
Question # 38

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?

A.

followTail = -45d

B.

ignore = 45d

C.

includeNewerThan = -35d

D.

ignoreOlderThan = 45d

Full Access
Question # 39

What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?

A.

... is not supported in monitor stanzas

B.

There is no difference, they are interchangable and match anything beyond directory boundaries.

C.

* matches anything in that specific directory path segment, whereas ... recurses through subdirectories as well.

D.

... matches anything in that specific directory path segment, whereas - recurses through subdirectories as well.

Full Access
Question # 40

If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component

would the fishbucket need to be reset in order to reindex the data?

A.

Indexer

B.

Forwarder

C.

Search head

D.

Deployment server

Full Access
Question # 41

Which additional component is required for a search head cluster?

A.

Deployer

B.

Cluster Master

C.

Monitoring Console

D.

Management Console

Full Access
Question # 42

Which of the following is an appropriate description of a deployment server in a non-cluster environment?

A.

Allows management of local Splunk instances, requires Enterprise license, handles job of sending configurations packaged as apps. can automatically restart remote Splunk instances.

B.

Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can automatically restart remote Splunk instances.

C.

Allows management of remote Splunk instances, requires no license, handles job of sending configurations, can automatically restart remote Splunk instances.

D.

Allows management of remote Splunk instances, requires Enterprise license, handles job of sending configurations, can manually restart remote Splunk instances.

Full Access
Question # 43

In addition to single, non-clustered Splunk instances, what else can the deployment server push apps to?

A.

Universal forwarders

B.

Splunk Cloud

C.

Linux package managers

D.

Windows using WMI

Full Access
Question # 44

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)

A.

props.conf

B.

inputs.conf

C.

rawdata.conf

D.

transforms.conf

Full Access
Question # 45

An add-on has configured field aliases for source IP address and destination IP address fields. A specific user prefers not to have those fields present in their user context. Based on the default props.conf below, which SPLUNK_HOME/etc/users/buttercup/myTA/local/props.conf stanza can be added to the user’s local context to disable the field aliases?

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Full Access
Question # 46

What conf file needs to be edited to set up distributed search groups?

A.

props.conf

B.

search.conf

C.

distsearch.conf

D.

distibutedsearch.conf

Full Access
Question # 47

The CLI command splunk add forward-server indexer: will create stanza(s) in

which configuration file?

A.

inputs.conf

B.

indexes.conf

C.

outputs.conf

D.

servers.conf

Full Access
Question # 48

What type of Splunk license is pre-selected in a brand new Splunk installation?

A.

Free license

B.

Forwarder license

C.

Enterprise trial license

D.

Enterprise license

Full Access
Question # 49

Which of the following accurately describes HTTP Event Collector indexer acknowledgement?

A.

It requires a separate channel provided by the client.

B.

It is configured the same as indexer acknowledgement used to protect in-flight data.

C.

It can be enabled at the global setting level.

D.

It stores status information on the Splunk server.

Full Access
Question # 50

Which forwarder is recommended by Splunk to use in a production environment?

A.

Heavy forwarder

B.

SSL forwarder

C.

Lightweight forwarder

D.

Universal forwarder

Full Access
Question # 51

In a distributed environment, which Splunk component is used to distribute apps and configurations to the

other Splunk instances?

A.

Indexer

B.

Deployer

C.

Forwarder

D.

Deployment server

Full Access
Question # 52

What action is required to enable forwarder management in Splunk Web?

A.

Navigate to Settings > Server Settings > General Settings, and set an App server port.

B.

Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding.

C.

Create a server class and map it to a client in SPLUNK_HOME/etc/system/local/serverclass.conf.

D.

Place an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server.

Full Access
Question # 53

What will the following inputs. conf stanza do?

[script://myscript . sh]

Interval=0

A.

The script will run at the default interval of 60 seconds.

B.

The script will not be run.

C.

The script will be run only once for each time Splunk is restarted.

D.

The script will be run. As soon as the script exits, Splunk restarts it.

Full Access
Question # 54

Running this search in a distributed environment:

On what Splunk component does the eval command get executed?

A.

Heavy Forwarders

B.

Universal Forwarders

C.

Search peers

D.

Search heads

Full Access
Question # 55

You update a props. conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btoo1 props list —debug. What will the output be?

A.

list of all the configurations on-disk that Splunk contains.

B.

A verbose list of all configurations as they were when splunkd started.

C.

A list of props. conf configurations as they are on-disk along with a file path from which the configuration is located

D.

A list of the current running props, conf configurations along with a file path from which the configuration was made

Full Access