sc-1003 Quizlet Questions

SPLK-1003 Splunk Enterprise Certified Admin
Study online at https://quizlet.com/_b6eqdt
1. Which Splunk component receives, indexes, and Indexer

stores incoming data from forwarders?
a) Indexer
b) Search head
c) Cluster master
d) Deployment server
2. Which license type allows 500MB/day of index- Free license

ing, but disables alerts, authentication, cluster, dis-
tributed search, summarization, and forwarding to
non-Splunk servers?
a) Free license
b) Forwarder license
c) Enterprise license
d) Enterprise trial license
3. What can be used when setting the host field option a, b, d

on a network input? (select all that apply)
a) IP
b) DNS
c) A binary file
d) Custom (explicit value)
4. Splunk licensing is measured by Amount of ingest-

a) Amount of ingested data per day ed data per day
b) Amount of storage used
c) Processor cores
d) Memory (GB)
5. Which of the following is not a Splunk license type? Advanced

a) Standard
b) Free
c) Advanced
d) Industrial IoT
6. True or False: When you exceed your licensed data False

ingestion quota, search is disabled.
7.
1 / 23
A license stack is A collection of li-
a) A distributed license environment governed by a censes whose in-
license master. dividual licensing
b) A quantity of license volume "carved out" for a volume amounts
specific purpose. aggregate to
c) A collection of licenses whose individual licensing serve as a single
volume amounts aggregate to serve as a single uni- unified amount of
fied amount of indexing volume. indexing volume.
d) A Splunk Enterprise instance controlled by a li-
cense master.
8. The Splunk Free (perpetual) license allows for __ per <500MB

day of ingested data.
a) <300MB
b) <500MB
c) <100MB
d) <200MB
9. You need a Splunk environment that's customized Work with a

for your particular use case. You want to use Splunk Splunk sales rep-
cloud. Which of the following is the best option? resentative to set
a) Provision a self-service Splunk Cloud directly from up Splunk Man-
the website aged Cloud.
b) Work with a Splunk sales representative to set up
Splunk Managed Cloud
c) Provision a virtual machine in the cloud and install
Splunk Enterprise on it
d) Splunk Cloud does not support custom implemen-
tations
10. To start Splunk from the command line, you need to bin
be in the _____ directory.
a) bin
b) etc
c) lib
d) var
11. True or False: When installing Splunk in Windows, True

you can install it as either a local system user, or a
domain account user.
2 / 23
12. Which Splunk component receives, indexes, and Indexer

stores incoming data from forwarders?
a) Forwarder
b) Deployer
c) Indexer
d) Cluster master
13. With which Splunk component can you forward data Forwarder
directly to a search head?
a) .conf file
b) Indexer
c) Receiver
d) Forwarder
14. True or False: Heavy forwarders cannot parse data, False

they only forward data.
15. Which Splunk component manages requests from Search Head

users?
a) Search head
b) Indexer
c) Forwarder
d) Deployer
16. Which Splunk component manages baselines and Deployer

apps for search head cluster members?
a) Deployment server
b) Deployer
c) Cluster master
d) License master
17. Which of the following are the two categories of Processing and
Splunk components? Management
a) Searching and Deploying
b) Parsing and Indexing
c) Delivery and Installation
d) Processing and Management
18. None of the above

3 / 23
Which of the following cannot receive data?
a) Forwarders
b) Indexers
c) Search heads
d) None of the above
19. What happens when there are multiple instances of Splunk combines
the same configuration file? all stanzas from all
a) Splunk asks which one you want to delete configuration files
b) Splunk combines all stanzas from all configuration and applies them
files and applies them globally globally
c) Splunk evaluates them based on precedence
d) Splunk crashes
20. Which configuration file defines indexes? inputs.conf

a) transforms.conf
b) props.con
c) inputs.conf
d) outputs.conf
21. In Linux, the default $SPLUNK_HOME$ directory is /opt/splunk

a) /etc/splunk
b) /dev/splunk
c) /opt/splunk
d) var/splunk
22. Global configuration files reside in /etc/system

a) /var/lib
b) /etc/users/<username>
c) /etc/apps/<app_name>
d) /etc/system
23. The general precedence for configuration files is local then default
a) local then default
b) default then local
c) local then modified
d) modified than local
24. Which of the following is the best way to see which Use btool
stanzas from which configuration files Splunk is us-
4 / 23
ing at runtime?
a) Run the search "runtime=*"
b) Use btool
c) Check the Linux PIDs or Windows Perfmon for
running processes
d) Delete all unnecessary configuration files
25. Within a configuration file, different sections are bro- stanzas

ken out by
a) attributes
b) values
c) stanzas
d) rows
26. True or False: When you create a new index, False

Splunk appends the indexes.conf file located at
$SPLUNK_HOME/etc/system/default/indexes.conf
27. Configuration files can be edited A&B

a) In Splunk web
b) In the CLI
c) A only
d) B only
e) A&B
28. The file extension for configuration files is .conf

a) .txt
b) .bin
c) .vim
d) .conf
29. Which type of data do indexes not contain? Relational

a) Raw
b) Pointers
c) Relational
d) Metadata
30. The default type of indexes is event

a) event
b) metrics
5 / 23
c) lookups
d) recursive
31. Buckets are organized and processed by age

a) preference
b) age
c) location in the file system
d) date created
32. The most "live" data exists in which bucket? Hot

a) Warm
b) Cold
c) Hot
d) Thawed
33. True or False: The frozen bucket is where archived True

data is stored.
34. In which bucket is archived data restored? Thawed

a) Hot
b) Cold
c) Fish
d) Thawed
35. A level 2 hash is computed between the hot

a) between the source and the hot bucket and warm buckets
b) between the cold and thawed buckets
c) between the hot and warm buckets
d) between the thawed and fish buckets
36. The CLI command to check hashes to validate data is ./splunk check-in-
a) ./splunk start --accept-license tegrity -bucket-
b) ./splunk check-integrity -bucketPath [ bucket path Path [ bucket path
] [ -verbose ] ] [ -verbose ]
c) ./splunk cmd -btool list [ filename ]
d) ./splunk cmd <tool>
37. What is the purpose of the fishbucket? To verify whether

a) It is a temporary bucket for storing corrupted data Splunk has read a
b) To move data from the warm to cold paths file before
6 / 23
c) To verify whether Splunk has read a file before
d) To unthaw data from the thaweddb
38. In per-provider index options, provider stanzas begin [provider:]

with
a) [default]
b) [hadoop:]
c) [provider-family:]
d) [provider:]
39. The three types of Splunk authentication are Native, LDAP, and
a) Web, CLI, and hybrid scripted.
b) TLS, Splunkauth, and root
c) Native, LDAP, and scripted.
d) Kerberos, SSL, and SSH.
40. Which of the following is not one of the four default sudo
roles in Splunk?
a) can_delete
b) power
c) sudo
d) admin
41. How are users, roles, and capabilities related? Users are as-
a) Roles are assigned to users, and users contain signed roles, and
sets of capabilities roles are sets of
b) Users are assigned roles, and roles are sets of capabilities
capabilities
c) Users and roles are both assigned capabilities
d) Capabilities are directly assigned to users. Splunk
does not have roles
42. The primary configuration file associated with user authorize.conf

authentication is
a) authorize.conf
b) props.conf
c) inputs.conf
d) users.conf
43. False
7 / 23
True or False: If you need custom roles outside of
the Splunk default ones, you should edit the Splunk
default roles to meet your needs.
44. Select the best description of dn in LDAP. A combination of

a) A combination of comma-separated values that comma separat-
make up the distinguished name of an object ed values that
b) The same thing as a canonical name make up the dis-
c) A distributed data set for each user tinguished name
d) Domain name of an object
45. In LDAP, an OU is An organizational

a) An object UID unit
b) An object unit
c) An organizational unit
d) An organizational UID
46. The configuration file responsible for LDAP configu- authentica-

ration in Splunk is tion.conf
a) users.conf
b) kerberos.conf
c) authorize.conf
d) authentication.conf
47. Splunk can be integrated to an external authentica- API

tion system via
a) API
b) Web interface (HTTP)
c) SSL
d) ITML
e) ID-FF
48. Which of the following MFA products is not supported Okta

by Splunk?
a) Duo
b) Okta
c) RSA
49. Timestamp identification takes place at the ___ parsing

phase.
8 / 23
a) inputs
b) indexing
c) parsing
d) search
50. Segmentation takes place at the ___ phase. indexing

a) inputs
b) indexing
c) parsing
d) search
51. True or False: MonitorNoHandle is not available on False

Windows hosts.
52. syslog is a form of ___ input. network

a) network
b) monitor
c) FIFO
d) Windows
53. True or False: WMI is required for monitoring Win- False

dows inputs.
54. What is the CLI command to add a monitor input? ./splunk add moni-
a) ./splunk add monitor input <monitor://> tor <path>
b) ./splunk add input <monitor://>
c) ./splunk add input <path>
d) ./splunk add monitor <path>
55. To configure a universal forwarder, put the following 2 1 5 3 4

recommend steps in order:
1. Download and install the UF
2. Configure receiving on the Splunk indexer
3. Configure the UF to send data
4. Configure the UF to collect data from the host
system
5. Start the UF
a) 1, 2, 3, 4, 5
b) 4, 5, 1, 3, 2
9 / 23
c) 2, 1, 5, 3, 4
d) 1, 2, 5, 4, 3
56. By separating the search management and presenta- horizontally

tion layers from the indexing layer, Splunk scales
a) quickly
b) automatically
c) horizontally
d) vertically
57. In a distributed search environment, another name for indexer

a search peer is a(n)
a) Splunk app.
b) search head.
c) heavy forwarder.
d) indexer.
58. Search head clusters are managed by a deployer

a) a search head master node
b) a heavy forwarder
c) a deployer
d) a deployment server
59. An indexer cluster is managed by a master cluster

a) a master cluster node node
b) a heavy forwarder
c) a deployer
d) a deployment server
60. Which of the following is not one of the three scaling Parsing
tiers?
a) Search management
b) Parsing
c) Indexing
d) Data input
61. True or False: A FQDN is not required for search head False
clustering.
62. three
10 / 23
Splunk recommends a minimum of ___ cluster mem-
bers in a search head cluster.
a) three
b) two
c) four
d) one
63. In which configuration file does the following stanza servers.conf

exist?
[shclustering]
pass4SymmKey = <security key>
shcluster_label = <name your cluster>
a) outputs.conf
b) inputs.conf
c) servers.conf
d) props.conf
64. What is the CLI command to add a cluster member? splunk add
a) splunk new shcluster-member -current_mem- shcluster-mem-
ber_uri <URI>:<management_port> ber
b) splunk add shcluster-member -current_mem- -current_mem-
ber_uri <URI>:<management_port> ber_uri
c) splunk shcluster-member-add -<URI> <URI>:<manage-
d) splunk add shcluster-member -captain_uri <Cap- ment_port>
tain_URI>:<management_port>
65. What is the CLI command to bootstrap a cluster cap- splunk bootstrap
tain? shcluster-captain
a) splunk bootstrap shcluster-captain -servers_list -servers_list
"<URI>:<management_port>,... >" -auth <user- "<URI>:<manage-
name>:<password> ment_port>,... >"
b) splunk enable captain -servers_list "<URI>:<man- -auth
agement_port>,... >" -auth <username>:<password> <user-
c) splunk add shcluster-captain -servers_list name>:<pass-
"<URI>:<management_port>,... >" -auth <user- word>
name>:<password>
d) splunk makecaptain -servers_list "<URI>:<man-
agement_port>,... >" -auth <username>:<password>
66.
11 / 23
During the parsing phase, Splunk Breaks the data
a) Accepts forwarding, monitoring, network, and stream into indi-
scripted inputs vidual events
b) Breaks the data stream into individual events
c) Writes the data onto index buckets
d) Authenticates against the master node
67. SNMP inputs are considered Network events in-

a) File and directory inputs. puts
b) Network events inputs.
c) Windows sources inputs.
d) Other data inputs.
68. How are compressed file inputs handled in Splunk? Splunk uncom-
a) Splunk uncompresses them before processing. presses them be-
b) Splunk leaves them compressed, but is able to fore processing.
process their contents.
c) Splunk ignores compressed files as they are not a
supported file input type.
d) Splunk indexes the compressed files as if they
were a standard file type, ignoring the compressed
contents (but the filename and other metadata will
still be available).
69. Monitoring is part of the __ phase. input

a) indexing
b) input
c) parsing
d) forwarding
70. Which of the following is not considered remote With a

data? search head/in-
a) A universal forwarder forwards data to a search dexer combina-
head/indexer combination. tion, we monitor
b) A forwarder forwards data to an indexer cluster, files and directo-
which then forwards data to a search head cluster. ries on the ma-
c) A forwarder forwards data to another forwarder, chine on which
which forwards data to a search head/indexer com- Splunk Enterprise
bination. is installed.
d) With a search head/indexer combination, we mon-
12 / 23
itor files and directories on the machine on which
Splunk Enterprise is installed.
71. Which type of forwarder does not parse or search Universal

data?
a) Universal
b) Heavy
c) Light
d) SNMP
72. Which type of forwarder would you use if you want to Heavy
be able to index data locally?
a) Universal
b) Heavy
c) Light
d) SNMP
73. Which type of forwarder is a full Splunk Enterprise Heavy

installation?
a) Universal
b) Heavy
c) Light
d) SNMP
74. Which preliminary step should be taken before data Configure receiv-
is forwarded to an indexer or search head? ing on the indexer
a) Configure the forwarder to collect and send data or search head
b) Start the forwarder
c) Install a forwarder
d) Configure receiving on the indexer or search head
75. True or False: A deployer can be used to configure False

forwarders.
76. True or False: Universal forwarders in Linux cannot True

be configured with a GUI.
77. Which type of license does a heavy forwarder re- forwarder

quire?
a) enterprise
13 / 23
b) IoT
c) forwarder
d) trial/free
78. What is a multiple pipeline set? The forwarder can

a) The forwarder load balances to many indexers process multiple
based on volume. events at the
b) The forwarder shards data across multiple indexer same time.
nodes.
c) The forwarder can process multiple events at the
same time.
d) The forwarder isolates and masks specific data
using SEDCMD.
79. Which configuration file governs multiple pipeline server.conf

sets?
a) props.conf
b) server.conf
c) inputs.conf
d) datamodels.conf
80. Which two types of load balancing are available for Specified time or
forwarders? volume interval
a) Number of forwarders or number of indexers
b) License type or time interval
c) Specified size of instance or age of data
d) Specified time or volume interval
81. Which Splunk Enterprise component allows you to Deployment serv-

group and configure other Splunk components by er
common characteristics?
a) Heavy forwarder
b) Indexer
c) Deployment server
d) Search head cluster captain
82. Splunk supports configuration management through All of these

third party tools like
a) Saltstack
b) Puppet
14 / 23
c) Chef
d) A&B only
e) A&C only
f) B&C only
g) All of these
83. True or False: A deployment server may be used to False

manage indexer clusters.
84. Which of the following is the best definition of a serv- Groups of Splunk
er-class? Enterprise in-
a) A Windows Server-specific function that allows stances that re-
you to monitor Exchange and Active Directory. ceive content
b) Groups of Splunk Enterprise instances that receive from deployment
content from deployment servers. servers.
c) A specific stanza in server.conf that you configure
on each heavy forwarder in your distributed environ-
ment.
d) A Splunk Enterprise instance that acts as a central-
ized configuration manager.
85. Which of the following can not be included in a de- Heavy forwarders
ployment app that you want to
a) A bundle of arbitrary content that you want to distribute to de-
distribute to deployment clients. ployment clients.
b) A full Splunk Enterprise app that you want to dis-
tribute to deployment clients.
c) Scripts and supporting files that you want to dis-
tribute to deployment clients.
d) Heavy forwarders that you want to distribute to
deployment clients.
86. True or False: Apps managed with the deployment True

server cannot be later managed without the deploy-
ment server.
87. What is the CLI command to refresh the deployment splunk reload de-
server after creating a deployment app? ploy-server
a) splunk reload deploy-server
b) splunk restart
15 / 23
c) splunk refresh deployment-server
d) splunk start --accept-license
88. Where can you view deployment apps on Splunk Forwarder man-
web? agement
a) Add data
b) Receiver management
c) Forwarder management
d) Monitoring console
89. True or False: A deployment client cannot belong to False

more than one server class.
90. True or False: A deployment server cannot be used to True

manage search head clusters.
91. Which of the following is not a type of monitor input? Download

a) Monitor
b) Download
c) MonitorNoHandle
d) Upload
92. To monitor a path, the format of the stanza is: [monitor:<path>]

a) [monitor]
b) [lookup:<path>]
c) [monitor:<path>]
d) [lookup]
93. The stanza to add a monitor input goes in which inputs.conf

configuration file?
a) inputs.conf
b) outputs.conf
c) props.conf
d) transforms.conf
94. The CLI command to add a monitor path is splunk add moni-
a) splunk <path> monitor tor <path>
b) splunk -add <path> monitor
c) splunk -monitor <path>
d) splunk add monitor <path>
16 / 23
95. Which of the following is the best description of a Batched files are
Splunk batched file? ingested, then
a) Batched files are a type of metrics index. deleted
b) Batched files are not ingested at all, they are ig-
nored.
c) Batched files are ingested, then deleted.
d) Batched files are treated like any other data input.
96. True or False: Splunk can accept network inputs on False

only specific ports.
97. True or False: Splunk Cloud accepts inputs only from True
configured with valid SSL certificates.
98. To handle syslog data C&D

a) Splunk recommends setting up an independent
syslog collector
b) Splunk cannot directly ingest syslog data
c) Splunk recommends configuring an intermediate
forwarder
d) Splunk Cloud requires an intermediate forwarder
e) A&B
f) C&D
g) All of the above
99. How should you handle SNMP data in a Splunk envi- Have the sender
ronment? write the SNMP
a) Forward the SNMP data to Splunk with a heavy data to a file, then
forwarder. have Splunk mon-
b) Send the SNMP data directly to Splunk. itor that file.
c) Have the sender write the SNMP data to a file, then
have Splunk monitor that file.
d) Splunk cannot ingest SNMP data.
100. Which protocol is recommended for network inputs? TCP

a) IMAP
b) SMTP
c) UDP
d) TCP
17 / 23
101. Scripted inputs allow you to prepare data be-

a) send data at intervals using cron jobs fore Splunk in-
b) prepare data before Splunk ingests it gests it
c) generate dummy data for dev/test environments
d) populate extra indexer nodes on-the-fly as demand
increases
102. True or False: You cannot use Powershell to write a False

Splunk scripted input.
103. To poll a database, web service, or API, you would scripted input
want to use a
a) scripted input
b) network input
c) heavy forwarder
d) universal forwarder
104. The two types of scripted inputs are streaming and

a) UDP and TCP writing to a file
b) batched and streaming
c) streaming and writing to a file
d) scheduling and cron
105. True or False: Scripted inputs can manage passwords True

and credentials.
106. Perfmon, registry, and WMI are all examples of Windows agent-
a) UNIX/Linux agentless inputs less inputs
b) Windows agentless inputs
c) network agentless inputs
d) Forwarder agentless inputs
107. What is the best description of a "first-time run expe- All of the above
rience?"
a) Built-in GUI tools to manage Splunk infrastructure
b) A built-in dashboard that comes with an app that
shows the current state of the Splunk environment
c) A GUI/visual function of an app that auto-discovers
infrastructure or other Splunk components
18 / 23
d) All of the above
e) None of the above
108. True or False: The Splunk app for Windows Infrastruc- False
ture is a premium app (costs money).
109. To send data using the HEC, which components are A web application
required? and at least one
a) A web application, at least one forwarder, and at indexer or search
least one indexer or search head. head
b) A web application, at least one heavy forwarder,
and an indexer cluster.
c) A web application and at least one indexer or
search head.
d) A web application, a deployment server, and at
least one indexer or search head.
110. Select the best description of a HEC token. An authentication

a) A part of an interactive dashboard where the values method
can change based on user input
b) An authentication method
c) An event stream from a web app
d) A batched file from a web app
111. Splunk stores data in __ block size. 64k

a) 128k
b) 256k
c) 64k
d) 32k
112. Select the best description of a source type. The default field
a) The default field that identifies the structure of the that identifies the
data in an event structure of the
b) The hostname of the machine from which the data data in an event
originates
c) A user interface associated with an app
d) An alternate name that you assign to a field
113. What is the default host value? The DNS name of

a) The IP address of the machine the machine
19 / 23
b) The DNS name of the machine
c) default
d) The distinguished name dn of the machine
114. Which of the following is the default character set UTF-8

encoding for Splunk?
a) ISO 8859-5
b) UTF-8
c) JIS X 0208
d) ANSEL
115. In which configuration file do you specify an alternate props.conf

character set encoding?
a) server.conf
b) inputs.conf
c) charset.conf
d) props.conf
116. Put the following four steps of the parsing phase in 3 4 1 2

order
1) Annotate events
2) Transform
3) Line break
4) Timestamps
a) 4, 3, 1, 2
b) 1, 2, 3, 4
c) 3, 4, 1, 2
d) 1, 3, 4, 2
117. What is the regular expression that Splunk uses to [\r\n]+

search for line breaks in raw data?
a) /y\$.^
b) /s\d$/[\n]
c) [\r\n]+
d) ([A-Z])\w+
118. Custom event boundaries and line breaks can be props.conf

specified in which configuration file?
a) props.conf
b) server.conf
20 / 23
c) inputs.conf
d) outputs.conf
119. Which time zone is the default for timestamps? The time zone
a) The time zone, if specified, in the raw data of the Splunk in-
b) UTC stance
c) The time zone of the Splunk instance
d) GMT
e) Question
120. Values in the ___ field are stored in ___ time. _time, UNIX
a) timestamp, Epoch
b) _time, UTC
c) timestamp, LINUX
d) _time, UNIX
121. Which three configuration files are needed to inputs.conf,

anonymize data? transforms.conf,
a) outputs.conf, server.conf, transforms.conf props.conf
b) inputs.conf, transforms.conf, props.conf
c) session.conf, datamodels.conf, authorize.conf
d) eventtypes.conf, fields.conf, props.conf
122. Which of the following is not a reason to anonymize For optimizing

data? dashboards
a) For optimizing dashboards
b) For compliance (e.g. PCI, HIPAA, GDPR)
c) For privacy (e.g. protecting social security num-
bers)
d) For security (e.g. company sensitive data, IP ad-
dresses, etc.)
123. SEDCMD is based on The UNIX utility

a) The UNIX utility CMD SED
b) The Windows utility SED
c) The UNIX utility SED
d) The Windows utility CMD
124. Select the format of SEDCMD s/<regex>/<re-

a) s/<regex>/<replacement>/g placement>/g
21 / 23
b) s/<replacement/<regex>/g
c) s/<regex>/\d/g
d) s/<regex>/<replacement>/\d/g
125. True or False: SEDCMD is easier to configure, but False

slower at processing time.
126. When anonymizing data, which .conf file tells Splunk inputs.conf
where the data to be anonymized is?
a) transforms.conf
b) inputs.conf
c) props.conf
d) server.conf
127. Using transformations to override the source type or parse time

host values occurs at
a) analysis time
b) index time
c) input phase
d) parse time
128. When using transformations to prevent unwanted nullqueue

events from being indexed, we can use a regular ex-
pression that defines the data we want to keep, then
send everything else to
a) the fish bucket.
b) nullqueue
c) trash
d) /var/tmp
129. Which token does SEDCMD use to substitute charac- y

ters?
a) d
b) c
c) s
d) y
130. In a SEDCMD string, which flag indicates a global /g

search?
a) /g
22 / 23
b) /s
c) /*
d) /d
23 / 23

sc-1003 Quizlet Questions

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

sc-1003 Quizlet Questions

Uploaded by

Copyright:

Available Formats

SPLK-1003 Splunk Enterprise Certified Admin

Study online at https://quizlet.com/_b6eqdt

1. Which Splunk component receives, indexes, and Indexer

2. Which license type allows 500MB/day of index- Free license

3. What can be used when setting the host field option a, b, d

4. Splunk licensing is measured by Amount of ingest-

5. Which of the following is not a Splunk license type? Advanced

6. True or False: When you exceed your licensed data False

8. The Splunk Free (perpetual) license allows for __ per <500MB

9. You need a Splunk environment that's customized Work with a

11. True or False: When installing Splunk in Windows, True

12. Which Splunk component receives, indexes, and Indexer

14. True or False: Heavy forwarders cannot parse data, False

15. Which Splunk component manages requests from Search Head

16. Which Splunk component manages baselines and Deployer

18. None of the above

20. Which configuration file defines indexes? inputs.conf

21. In Linux, the default $SPLUNK_HOME$ directory is /opt/splunk

22. Global configuration files reside in /etc/system

25. Within a configuration file, different sections are bro- stanzas

26. True or False: When you create a new index, False

27. Configuration files can be edited A&B

28. The file extension for configuration files is .conf

29. Which type of data do indexes not contain? Relational

30. The default type of indexes is event

31. Buckets are organized and processed by age

32. The most "live" data exists in which bucket? Hot

33. True or False: The frozen bucket is where archived True

34. In which bucket is archived data restored? Thawed

35. A level 2 hash is computed between the hot

37. What is the purpose of the fishbucket? To verify whether

38. In per-provider index options, provider stanzas begin [provider:]

42. The primary configuration file associated with user authorize.conf

44. Select the best description of dn in LDAP. A combination of

45. In LDAP, an OU is An organizational

46. The configuration file responsible for LDAP configu- authentica-

47. Splunk can be integrated to an external authentica- API

48. Which of the following MFA products is not supported Okta

49. Timestamp identification takes place at the ___ parsing

50. Segmentation takes place at the ___ phase. indexing

51. True or False: MonitorNoHandle is not available on False

52. syslog is a form of ___ input. network

53. True or False: WMI is required for monitoring Win- False

55. To configure a universal forwarder, put the following 2 1 5 3 4

56. By separating the search management and presenta- horizontally

57. In a distributed search environment, another name for indexer

58. Search head clusters are managed by a deployer

59. An indexer cluster is managed by a master cluster

63. In which configuration file does the following stanza servers.conf

67. SNMP inputs are considered Network events in-

69. Monitoring is part of the __ phase. input

70. Which of the following is not considered remote With a

71. Which type of forwarder does not parse or search Universal

73. Which type of forwarder is a full Splunk Enterprise Heavy

75. True or False: A deployer can be used to configure False

76. True or False: Universal forwarders in Linux cannot True

77. Which type of license does a heavy forwarder re- forwarder

78. What is a multiple pipeline set? The forwarder can

79. Which configuration file governs multiple pipeline server.conf

81. Which Splunk Enterprise component allows you to Deployment serv-

82. Splunk supports configuration management through All of these

83. True or False: A deployment server may be used to False

86. True or False: Apps managed with the deployment True