Splunk Admin

Réussis tes devoirs et examens dès maintenant avec Quizwiz!

Where can scripts for scripted inputs reside on the host file system? (Select all that apply)

$SPLUNK_HOME/bin/scripts $SPLUNK_HOME/etc/system/bin $SPLUNK_HOME/etc/apps/<your_app>/bin

Which parent directory contains the configurations files in Splunk?

$SPLUNK_HOME/etc

Where should apps be located on the deployment server that the clients pull from?

$SPLUNK_HOME/etc/deployment-apps

Where are license files stored?

$SPLUNK_HOME/etc/licenses

Local user accounts created in Splunk store passwords in which file?

$SPLUNK_HOME/etc/passwd

During search time, which directory of configuration files has the highest precedence?

$SPLUNK_HOME/etc/users/admin/local

What is the difference between the two wildcards ... and * for the monitor stanza in inputs.conf?

* matches anything in that specific directory path segment but does not go beyond that segment in the path; whereas ... recurses through directories and subdirectories to match.

This file has been manually created on a universal forwarder. /opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf [monitor:///var/log/messages] sourcetype=syslog index=syslog A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file /opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf [monitor:///var/log/maillog] sourcetype=maillog index=syslog What file is now monitored?

/var/log/maillog

What is the correct order of steps in Duo Multifactor Authentication?

1.) Request Login 2.) Check authentication / group mapping 3.) Authentication Granted 4.) Duo MFA 5.) Create User session 6.) Log into Splunk

You update a props.conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btool propslist -debug What will the output be?

A list of props.conf configurations as they are on-disk along with a file path from which the configuration is located.

Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

A token-based HTTP input that is secure and scalable and that does NOT require the use of forwarders.

Which of the following statements apply to directory inputs?

All discovered text files are consumed Splunk recursively traverses through the directory structure

Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

Any OS platform

Which layers are involved in Splunk configuration file layering?

App context User context

In case of a conflict between a whitelist and a blacklist input setting, which one is used?

Blacklist

How do you remove missing forwarders from the Monitoring Console?

By rebuilding the forwarder asset table.

Which of the following are supported configuration methods to add inputs on a forwarder?

CLI Edit inputs.conf Forwarder Management

Which of the following are methods for adding inputs in Splunk? (Select all that apply)

CLI Splunk Web Editing monitor.conf

What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?

CPU's

User role inheritance allows what to be inherited from the parent role? (Select all that apply)

Capabilities Index access

The universal forwarder has which capabilities when sending data? (select all that apply)

Compressing data Indexer acknowledgement

The priority of layered Splunk configuration files depends on the file's:

Context

Which of the following is valid distribute search group? A. [distributedSearch:Paris] default = false servers = server1, server2 B. [searchGroup:Paris] default = false servers = server1:8089, server2:8089 C. [searchGroup:Paris] default = false servers = server1:9997, server2:9997 D. [distributedSearch:Paris] default = false servers = server1:8089, server2:8089

D. [distributedSearch:Paris] default = false servers = server1:8089, server2:8089

In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best? [sshd_syslog] TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} SHOULD_LINEMERGE = false TRUNCATE = 0 Event example: 2018-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366 A. MAX_TIMESTAMP_LOOKAHEAD = 5 B. MAX_TIMESTAMP_LOOKAHEAD = 10 C. MAX_TIMESTAMP_LOOKAHEAD = 20 D. MAX_TIMESTAMP_LOOKAHEAD = 30

D. MAX_TIMESTAMP_LOOKAHEAD = 30

Which Splunk component distributes apps and certain other configuration updates to search head clusters members?

Deployer

How often does Splunk recheck the LDAP server

Each time a user logs in.

Which Splunk component requires a Forwarder license?

Heavy forwarder

Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

Heavy forwarder

Which forwarder type can parse data prior to forwarding?

Heavy forwarder

Within props.conf, which stanzas are valid for data modification? (select all that apply).

Host Source Sourcetype

Which valid bucket types are searchable?

Hot buckets; Warm buckets; Cold buckets

Which Splunk component does a search head primarily communicate with?

Indexer

In which phase of the index time process does the license metering occur?

Indexing phase

Which authentication methods are natively supported with Splunk Enterprise?

LDAP SAML

Which of the following are supported options when configuring optional network inputs?

Metadata override, sender filtering options, network input queues (memory/persistent queues)

What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

Metrics Data

To set up a network input in Splunk, what needs to be specified?

Network protocol and port number

When running the command shown below, what is the default path in which deployment server.conf is created? splunk set deploy-poll deployServer:port

SPLUNK_HOME/etc/system/local

What is required when adding a native user to Splunk?

Password Username

What are the minimum required settings when creating a network input in Splunk?

Protocol Port number

What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events?

REGEX, DEST_KEY, FORMAT

Which of the following authentication types requires scripting in Splunk?

Radius

When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

Regular expression

What license does enterprise deployment require?

Requires an Enterprise license

What options are available when creating custom roles?

Restrict search terms Limit the number of concurrent search jobs Allow or restrict indexes that can be searched

What are the two methods Splunk uses for raw data transformations? (added ques)

SEDCMD (uses only props.conf) TRANSFORMS (uses props.conf and transforms.conf - more flexible - transforms matching events based on source, sourcetype, or host)

For single line event sourcetypes it is more efficient to set SHOULD_LINEMERGE to what value?

SHOULD_LINEMERGE = false (Path: SPLUNK_HOME/etc/apps/mycustom_addon/local/props.conf)

Which Splunk component consolidates the individual results and prepares reports in a distributed environment?

Search Head

Which Splunk component performs indexing and responds to search requests from the search head?

Search peer (Indexer)

When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

Server Class

Which stanza enables compression for universal forwarders in outputs.conf?

[tcpout] defaultGroup=my_indexers compressed=true

Which of the following indexes come pre-configured with Splunk Enterprise?

_Internal _thefishbucket

Which of the following apply to how distributed search works? (select all that apply)

The search head dispatches searches to the peers Peers run searches in parallel and return their portion of results The search head consolidates the individual results and prepares reports

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

To ensure that data has not been tampered with for auditing and/or legal purposes.

What is the default character encoding used by Splunk during the input phase?

UTF-8

Which optional configuration setting in inputs.conf allows you to selectively forward the data to specific indexer(s)?

_TCP_ROUTING

How does the Monitoring Console monitor forwarders?

With internal logs forwarded by forwarders

How would you configure your distsearch conf to allow you to run the search below? sourcetype+access_combined status=200 action=purchase splunk_set ver_group=HOUSTON A) [distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089, houston2:8089 B) [distributedSearch] servers=nyc1, nyc2, houtston1, houston2 [distributedSearch:NYC] default = false servers = nyc1, nyc2 [distributedSearch:HOUSTON] default = false servers = houston1, houston2 C) [distributedSearch] servers = nyc1:8089; nyc2:8089; houston1:8089; houston2:8089 [distributedSearch:NYC] default = false servers = nyc1:8089; nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089; houston2:8089

[distributedSearch] servers = nyc1:8089, nyc2:8089, houston1:8089, houston2:8089 [distributed Search:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089, houston2:8089

Which of the following are required when defining an index in indexes.conf (select all that apply)

coldPath homePath thawedPath

Which setting in indexes.conf allows data retention to be controlled by time?

frozenTimePeriodInSecs

In which Splunk configuration file is the SEDCMD used?

props.conf


Ensembles d'études connexes

Chapter 2: Configure a network operating system

View Set

Ch2 PrepU Collecting Subjective Data

View Set

The Child with Fluid and Electrolyte Imbalance 24

View Set