Splunk Enterprise/Cloud Admin(SV)
The output queue is controlled by what attribute?
maxQueueSize
Using btool, how could we diagnose a user's issue from their .conf perspective?
splunk btool --user=username --app=app
What command do we run on a DS to display all clients reporting in?
splunk list deploy-clients
What command do we run to check the indexer destination settings in outputs.conf on a forwarder?
splunk list forward-server
How do we tell the DS to rescan for changes without restarting Splunk?
splunk reload deploy-server
Where can scripts for scripted inputs reside on the host file system? (Select all that apply)
$SPLUNK_HOME/bin/scripts $SPLUNK_HOME/etc/system/bin $SPLUNK_HOME/etc/apps/<your_app>/bin
Which parent directory contains the configurations files in Splunk?
$SPLUNK_HOME/etc
Where should apps be located on the deployment server that the clients pull from?
$SPLUNK_HOME/etc/deployment-apps
Local user accounts created in Splunk store passwords in which file?
$SPLUNK_HOME/etc/passwd
During search time, which directory of configuration files has the highest precedence?
$SPLUNK_HOME/etc/users/admin/local
What are three advantages to using multiple pipeline sets?
* Ability to process multiple data streams simultaneously * Increases forwarder throughput * Get events to indexers faster
When Hybrid Search Topology is enabled, what are two very important limitations?
* Cannot search multiple Cloud environments * Cannot search from Cloud Search Head to on-prem Splunk or to another Splunk Cloud
Which of the following is NOT a part of configuring Splunk to use SAML?Select one. * Select SAML in Authentication Method * Click "Configure Splunk to use SAML" * Select SAML Configuration to configure trust connection details. * Download and export Splunk Service Provider (SP) Metadata to IdP server * Generate and import the IdP server metadata into Splunk * Define the directory node containing group definitions * Map the roles with New Group
* Define the directory node containing group definitions That goes with LDAP
Customer's responsibility consists of what?
* Forward data to Splunk * Manage configurations such as source type, index and contextual details * Administers and co-ordinates- Managing users, data retention. * Configuration and Maintenance. License, ingestions, sizing and scalability.
What is the default queueSize? 1 GB 500 KB 500 MB 256 MB
500 KB
Which of the following does NOT describe the IDM? Select all that apply. 1 Not available in the Victoria experience 2 Single hosted data input component 3 Not a replacement for a heavy forwarder 4 Available for scripted and modular inputs 5 Can be used for user, index, and data management 6 Does not support HEC token creation and management 7 Apps are installed via support ticket request 8 Customers should avoid using non-standard ports 9 Does not accept UDP/TCP inputs or ingest HEC data
6 Does not support HEC token creation and management
Which of the following are true of REST API and Splunk? 1 Provides direct and timely access to data 2 Supports basic and API-based authentication 3 Reduces overhead of maintaining machines and network infrastructure 4 Decreases transmitted data security 5 On-prem API inputs.conf are encrypted when deployed in Cloud apps and use a key for security 6 All are true
* Provides direct and timely access to data * Supports basic and API-based authentication * Reduces overhead of maintaining machines and network infrastructure * On-prem API inputs.conf are encrypted when deployed in Cloud apps and use a key for security (all but "decreases transmitted data security" -- security is actually increased.)
List three benefits of WLM (Workload Management) that improve performance, resource availability, and productivity.
* Separating data ingestion from search workload * Prioritizing critical search workloads * Isolating resource-heavy searches
What are the options for getting malformed or inaccurate events out of an index?
* Users with can_delete permissions can use the "delete" command to hide the data. It will continue to take up disk space, but will not be searched. * Purged when data ages-out and buckets are deleted (if buckets are archived, the bad data persists) * Delete the index and re-index all the data once the error is corrected
What wildcards are accepted in acceptFrom?
* and !
What is the difference between the two wildcards ... and * for the monitor stanza in inputs.conf?
* matches anything in that specific directory path segment but does not go beyond that segment in the path; whereas ... recurses through directories and subdirectories to match.
What btool flag returns the exact .conf file and location used for the configuration?
--debug
What types of script are supported with scripted inputs?
.sh .bat .ps1 .py
Which of the following pertains to HEC in Splunk Cloud? 1 Index must exist prior to HEC setup 2 Index cannot exist prior to HEC setup 3 Progress can be monitored at any time. 4 Only after token creation can progress be monitored 5 All data is encrypted in transit 6 Data is not encrypted in transit 7 Customers cannot change the HEC network port. 8 Customers can change the HEC network port. 9 Customers can enable HEC for Kinesis Firehose themselves 10 Enabling HEC for Kinesis Firehose requires a support ticket 11 Indexer acknowledgement is available only for Amazon Kinesis Firehose 12 Indexer acknowledgement is freely available 13 Default maximum content length is unlimited 14 Default maximum content length is 1MB 15 Default maximum content length is 500KB
1 Index must exist prior to HEC setup 4 Only after token creation, progress can be monitored 5 All data is encrypted in transit 7 Customers cannot change the HEC network port. 10 Enabling HEC for Kinesis Firehose requires a support ticket 11 Indexer acknowledgement is available only for Amazon Kinesis Firehose 14 Default maximum content length is 1MB
Which of the following are true of mapping LDAP Groups to Roles? Select all that apply. 1 Not all groups need to be mapped 2 Mappings can be changed at any time 3 All groups need to be mapped 4 Mappings cannot be changed 5 The LDAP server is rechecked each time a user logs into Splunk 6 The LDAP server is only checked on first login, which is why mappings cannot be changed.
1 Not all groups need to be mapped 2 Mappings can be changed at any time 5 The LDAP server is rechecked each time a user logs into Splunk
Which of the following apply to the Splunk Connect for Syslog app? Select all that apply. 1. Containerized Syslog-ng server with data source library 2. Reduces configuration and management of syslog servers 3. Reliable and fault-tolerant delivery using Splunk forwarders 4. Requires on-prem syslog server for parsing and filtering 5. Presents challenges in terms of scale and complexity 6. Customizable filters to identify, parse, and format 7. Repeatable, concise, and prescriptive solution for syslog data
1. Containerized Syslog-ng server with data source library 2. Reduces configuration and management of syslog servers 6. Customizable filters to identify, parse, and format 7. Repeatable, concise, and prescriptive solution for syslog data
The following responsibilities are part of being a Splunk Cloud Admin. (Select all that apply.) 1. Integrate with LDAP/SAML 2. Define inputs and configure parsing 3. Create reports using Pivot 4. Install and manage apps 5. Forward events/data to Splunk Cloud
1. Integrate with LDAP/SAML 2. Define inputs and configure parsing 5. Forward events/data to Splunk Cloud (Page 22): installing and managing unvetted apps requires Splunk Cloud Ops involvement.
What is the correct Authentication Flow in LDAP?
1.) Request Login 2.) Bind DN/Password 3.) User DN 4.) User DN/Password 5.) Success Pg 45/46 Cloud
What are the implications of Role Inheritance when creating a custom role? (Select all that apply.) 1 If you wish to turn off capabilities inherited from the original role, you must do so by command line access only. 2 The new role inherits the index settings 3 The new role has all the capabilities of the inherited role 4 Inheritance is only available for roles built into Splunk Cloud by default
2 The new role inherits the index settings 3 The new role has all the capabilities of the inherited role
Which of the following are valid monitor input stanzas? Select all that apply. 1. [monitor://var/log/secure] 2. [monitor:///var/log/secure] 3. [monitor://C:\logs\] 4. [monitor:///C:\logs\] 5. [monitor://C:/logs/]
2. [monitor:///var/log/secure] 3. [monitor://C:\logs\]
Which of the following options can be used to assign index access when creating a custom role? (Select all that apply.) 1. Whitelist/Blacklist 2. Individually check index for access 3. Wildcards 4. Inheritance from parent role
2.Individually check index for access 3. Wildcards 4. Inheritance from parent role
Which of the following is not a benefit of Splunk Cloud?Select one. 1 Troubleshooting support and advice 2 Automated infrastructure deployment 3 Automated processing and implementation 4 Automated high availability setup 5 Regular maintenance and upgrades 6 24/7 NOC
4 Automated high availability setup
Which of the following is not true of the REST API in Splunk Cloud?Select one. 1 Splunk Cloud REST API ingestion applications and addons are modified from on-prem due to safety protocols 2 Splunk Cloud REST API ingestion applications and addons add functionality to Cloud deployments 3 Splunk Cloud REST API ingestion applications and addons can be installed on an IDM (Classic only,) indexers, and/or search heads. 4 Splunk Cloud REST API ingestion applications and addons do not have data parsing capabilities.
4 Splunk Cloud REST API ingestion applications and addons do not have data parsing capabilities
What is the usual command on a forwarder to create deploymentclient.conf? 1. vim SPLUNK_HOME/deployment.conf 2. splunk set deploypoll SERVER:PORT 3. splunk create deploypoll SERVER:PORT 4. None of these 5. All of these would work
4. None of these splunk set deploy-poll SERVER:PORT
You update a props.conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btool props list -debug What will the output be?
A list of props.conf configurations as they are on-disk along with a file path from which the configuration is located.
Which option accurately describes the purpose of the HTTP Event Collector (HEC)?
A token-based HTTP input that is secure and scalable and that does NOT require the use of forwarders.
Where can scripts for scripted inputs reside on the host file system? (Choose all that apply.) A. $SPLUNK_HOME/bin/scripts B. $SPLUNK_HOME/etc/apps/bin C. $SPLUNK_HOME/etc/system/bin D. $SPLUNK_HOME/etc/apps/<your_app>/bin
A. $SPLUNK_HOME/bin/scripts C. $SPLUNK_HOME/etc/system/bin D. $SPLUNK_HOME/etc/apps/<your_app>/bin
When defining a monitored source in inputs.conf, is an absolute or relative path used?
Absolute
Which of the following are key differences between Self-Service and Splunk Managed Cloud instances? (Select all that apply.) A. Managed allows Whitelisting/Blacklisting of IP Addresses B. Managed has a daily Data Ingestion maximum of 100GB C. Self-Service deploys from the US East and US West Cloud regions D. Self-Service allows for forwarder configuration using Splunk Web E. Concurrent search on Self-Service has a limit of 20.
A. Managed allows Whitelisting/Blacklisting of IP Addresses D. Self-Service allows for forwarder configuration using Splunk Web E. Concurrent search on Self-Service has a limit of 20.
For which of the following should customers contact Cloud Support? (All that apply) A. When unable to resolve issues or perform problem isolation B. For capacity or configuration changes C. For resizing D. For license changes E. When unable to log into Cloud F. For purchases
A. When unable to resolve issues or perform problem isolation B. For capacity or configuration changes E. When unable to log into Cloud
What are some examples of resiliency for Network inputs?
Adds buffering, load balancing, cloning Indexer restarts do not cause data loss of TCP or UDP inputs.
Which of the following are optional when defining monitored inputs inputs.conf? Select all that apply. Host Sourcetype Index Blacklist Whitelist Disabled Wildcards
All
Which of the following statements apply to directory inputs?
All discovered text files are consumed Splunk recursively traverses through the directory structure
Which of the following are true of SAML (IdP) and Splunk Cloud?Select all that apply. * Credentials are exchanged through a browser session * Currently limited to a single identity provider * Uses digitally signed XML certificates from an IdP
All do apply
What is required for a TCP connection to work in Splunk Cloud?
An authorized role, secure token, credentials, or certificate validation. PG 24 Cloud Admin
Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?
Any OS platform
Which layers are involved in Splunk configuration file layering?
App context User context Global context
When configuring SAML, the IdP endpoint accepting Simple Object Access Protocol (SOAP) queries is defined by the _______.
Attribute Query URL
User role inheritance allows what to be inherited from the parent role? (Choose all that apply.) A. Parents B. Capabilities C. Index access D. Search history
B. Capabilities C. Index access and restrictions(not shown)
Place the timestamp processing in order: A. If no timestamp found, use the current system time when indexing the event. B Use TIME_FORMAT from props.conf to identify a timestamp in an event C. If Splunk finds a time, but no date, try to find the date in source name or file name. D. If Splunk cannot identify a date, use the file's modification time. E. If no TIME_FORMAT is configured, try to automatically identify a timestamp from the event. F. If no timestamp found, use the most recent timestamp.
B. Use TIME_FORMAT from props.conf to identify a timestamp in an event E. If no TIME_FORMAT is configured, try to automatically identify a timestamp from the event. C. If Splunk finds a time, but no date, try to find the date in source name or file name. D. If Splunk cannot identify a date, use the file's modification time. F. If no timestamp found, use the most recent timestamp. A. If no timestamp found, use the current system time when indexing the event.
What is the default way Splunk handles multi-line events?BREAK_ONLY_BEFORE BREAK_ONLY_BEFORE_DATE MUST_BREAK_AFTER
BREAK_ONLY_BEFORE_DATE
In case of a conflict between a whitelist and a blacklist input setting, which one is used?
Blacklist
How do you remove missing forwarders from the Monitoring Console?
By rebuilding the forwarder asset table.
What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events? A. REGEX, DEST, FORMAT B. REGEX, SRC_KEY, FORMAT C. REGEX, DEST_KEY, FORMAT D. REGEX, DEST_KEY, FORMATTING
C. REGEX, DEST_KEY, FORMAT
What attribute in props.conf overrides the character encoding?
CHARSET
Which of the following are supported configuration methods to add inputs on a forwarder?
CLI Edit inputs.conf Forwarder Management
How are some ways to modify configuration files (.conf)
CLI Splunk Web API SDK Manually Edit
Which of the following are methods for adding inputs in Splunk? (Select all that apply)
CLI Splunk Web Editing inputs.conf
What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?
CPU's
User role inheritance allows what to be inherited from the parent role? (Select all that apply)
Capabilities Index access restrictions
What two settings in props.conf were specifically mentioned as being applied during the input phase (occurs on the forwarder?)
Character encoding Fine-tuning sourcetypes
The priority of layered Splunk configuration files depends on the file's:
Context
SAML certificate expiry, management, and renewal is handled by ______________. Customer Support
Customer
In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best? [sshd_syslog] TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} SHOULD_LINEMERGE = false TRUNCATE = 0 Event example: 2018-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366 A. MAX_TIMESTAMP_LOOKAHEAD = 5 B. MAX_TIMESTAMP_LOOKAHEAD = 10 C. MAX_TIMESTAMP_LOOKAHEAD = 20 D. MAX_TIMESTAMP_LOOKAHEAD = 30
D. MAX_TIMESTAMP_LOOKAHEAD = 30
Using SEDCMD in props.conf allows raw data to be modified. With the given event below, which option will mask the first three digits of the AcctID field resulting output: [22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309 Event:[22/Oct/2018:15:50:21] VendorID=1234 Code=B AcctID=xxx5309 A. SEDCMD-1acct = s/VendorID=\d{3}(\d{4})/VendorID=xxx/g B. SEDCMD-xxxAcct = s/AcctID=\d{3}(\d{4})/AcctID=xxx/g C. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=\1xxx/g D. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g
D. SEDCMD-1acct = s/AcctID=\d{3}(\d{4})/AcctID=xxx\1/g
What is the valid option for a [monitor] stanza in inputs.conf? A. enabled B. datasource C. server_name D. ignoreOlderThan
D. ignoreOlderThan
Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678.Which configuration file and stanza pair will mask possible SSNs in the log events? A. props.conf [mask-SSN] REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 KEY = _raw B. props.conf [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw C. transforms.conf [mask-SSN] REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw D. transforms.conf [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw
D. transforms.conf [mask-SSN] REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$" FORMAT = $1<SSN>###-##-$2 DEST_KEY = _raw
When considering differences between DDAA and DDSS, which characteristic applies to each? Possible answers: DDAA, DDSS Purchased via Accounts in 500 GB blocks Blended with standard searchable retention, restored data is searchable in cloud for 30 days Purchased and managed by customer only Data must be thawed in a customer-managed environment Commonly purchased option for medium to long-term retention Archive and thaw process is Splunk-managed Storage option for long-term for auditing and tracking of historical data/compliance. Retrieval is limited to 10% of DDXX storage Data cannot be restored or searched in Splunk Cloud unless re-ingested.
DDAA Purchased via Accounts in 500 GB blocks Blended with standard searchable retention, restored data is searchable in cloud for 30 days Commonly purchased option for m3edium to long-term retention Archive and thaw process is Splunk-managed Retrieval is limited to 10% of DDXX storage DDSS Purchased and managed by customer only Data must be thawed in a customer-managed environment Storage option for long-term for auditing and tracking of historical data/compliance. Data cannot be restored or searched in Splunk Cloud unless re-ingested.
The connection_host attribute in inputs.conf allows three options. What are they?
DNS IP custom/none
What provides real-time stream processing to collect, process, and then deliver data to Splunk Cloud or other destinations?
DSP
How often the CMC's Forwarder Monitoring Setup table is updated is called the ________ interval.
Data Collection
How is data handled by Splunk during the input phase of the data ingestion process?
Data is treated as streams.
Which of the following is NOT performed via Splunk Cloud Search Heads?Select one. * Install and manage apps * Define inputs and configure parsing * Create and manage indexes * Manage knowledge objects * Integrate with LDAP/SAML * Manage data retention
Define inputs and configure parsing - these are done at the on-prem source
What are two ways to delete a Splunk Cloud archive?
Disable it or log a support ticket.
In addition to Dynamic Data Active Archiving, what other data archiving option is available to Splunk Cloud customers?
Dynamic Data Self Storage (DDSS)
How often does Splunk recheck the LDAP server
Each time a user logs in.
What does the following transform do? props.conf [mysrctype] TRANSFORMS-itops = route_errs_warns transforms.conf [route_errs_warns] REGEX = (Error|Warning) DEST_KEY = _MetaData:Index FORMAT = itops
Examine the events in the incoming _raw data. If "Error" or "Warning" is found, change its index field value to "itops".
True/False: Because Splunk Cloud does not accept UDP connections, syslog data cannot be imported.
False
True/False: Scheduled search is supported with Hybrid Search.
False
True/False: During data input, only the config files on the indexer are used
False Forwarder, too
True/False: One input configuration runtime model exists in memory for each inputs.conf file.
False - only one exists at all
True/False: CMC -> Settings -> Forwarder Monitoring Setup relies on forwarders sending production data to the CMC.
False- It relies on forwarders sending internal logs and monitor forwarding
What provides the capability to execute a unified search across multiple Splunk environments (including Splunk Cloud and On-premise?)
Federated Search
What app allows for SSL and TLS forwarding unique to the customer environment?
Forwarder Credentials App
_______ pipelines are data streams from source to end-point. ______ pipeline refers to the sequence of parsing pipelines.
Forwarding, ingestion
Match the files with their context. Contexts: Global App/UserFiles: inputs.conf props.conf savedsearches.conf macros.conf outputs.conf
Global: inputs.conf outputs.conf props.conf App/User: props.conf(both!) savedsearches.conf macros.conf
Which Splunk forwarder type allows parsing of data before forwarding to an indexer?
Heavy forwarder
Which forwarder type can parse data prior to forwarding?
Heavy forwarder
Within props.conf, which stanzas are valid for data modification? (select all that apply).
Host Source Sourcetype
For modular and scripted inputs in the classic experience, these must run on a separate ______ instance or on-premise _________.
IDM, heavy forwarder
The 'acceptFrom = <network_acl>' attribute list address rules separated by commas or spaces. List the option(s) that are allowed. (Select all that apply)
IPv4 or IPv6 CIDR Block of addresses DNS name Wildcard '*' and '!'
There are two ways to set up when a scripted input runs: Name them.
In Seconds Cron schedule
In which phase of the index time process does the license metering occur?
Indexing phase
The two Splunk Cloud licensing options are ______-based and _______-based.
Ingestion Infrastructure
What DSP component uses REST API, HEC, UF?
Input connectors
What are the three components of DSP?
Input connectors Data Stream Processor Output connectors
What three phases can Splunk index time processes be broken down into?
Input, Parsing, Indexing
What .conf file can you omit the source type in?
Inputs.conf
What does the "." in (vmail.+) signify?
It is not escaped, so it's a single-character wildcard.
Which authentication methods are natively supported with Splunk Enterprise?
LDAP SAML Splunk Native
What is the message displayed when checking the HEC token status is complete?
Last deployment status
What does props.conf do on a forwarder?
Limited parsing - character encoding, metadata, event breaks
Forwarder props.conf uses?
Limited parsing(Character encoding, metadata, event break)
To what do these three things pertain? BREAK_ONLY_BEFORE BREAK_ONLY_BEFORE_DATE MUST_BREAK_AFTER
Line merging
What attribute defines how many lines are allowed per event?
MAX_EVENTS
Which of the following are supported options when configuring optional network inputs?
Metadata override, sender filtering options, network input queues (memory/persistent queues)
How do you remove the output bandwidth restriction on the IF?
Modify the limits.conf stanza [thruput] from 256maxKBs to whatever. Then restart. Changes must be made on the local file, not default. Lab sc_admin page 13.
What three types of tasks are restricted in the Splunk Cloud REST API?
Modifying client server configurations or components Restarting a Splunk Cloud deployment Executing debug commands
Does Splunk Cloud support CLI
No
Which Splunk deployment allows customers to decide what app runs in their deployment, including unvetted apps?
On-Prem/Enterprise(Not Cloud)
Does Inbound TCP work in Cloud?
Only with the use of a SSL secure connection
Indexer props.conf is used for what?
Parsing (event breaks, Time Extractions, TZ, transformation)
What does props.conf control on an indexer?
Parsing (event breaks, time extraction, tz, transformation)
What is required when adding a native user to Splunk?
Password Username
What action is required to enable forwarder management in Splunk Web?
Place an app in the SPLUNK_HOME/etc/deployment-apps directory of the deployment server. In the Forwarder Management UI, create one or more server classes.
What .conf file can you use to override the source type for directory monitors?
Props.conf
What .conf file should you configure in your forwarder if you have input phase settings?
Props.conf
What are the minimum required settings when creating a network input in Splunk?
Protocol Port number
What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events?
REGEX, DEST_KEY, FORMAT
When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?
Regular expression
When running the command shown below, what is the default path in which deployment server.conf is created? splunk set deploy-poll deployServer:port
SPLUNK_HOME/etc/system/local
Where is deploymentclient.conf located?
SPLUNK_HOME/etc/system/local
A persistent queue is written to which directory on the forwarder?
SPLUNK_HOME/var/run/splunk
_______________ defines the maximum size (in kilobytes) of the wait queue where Splunk stores data blocks if the target receiver cannot be reached, and it is set in _______.conf on a forwarder.
maxQueueSize outputs.conf
What options are available when creating custom roles?
Restrict search terms Limit the number of concurrent search jobs Allow or restrict indexes that can be searched
What are the two methods Splunk uses for raw data transformations? (added ques)
SEDCMD (uses only props.conf) TRANSFORMS (uses props.conf and transforms.conf - more flexible - transforms matching events based on source, sourcetype, or host)
For single line event sourcetypes it is more efficient to set SHOULD_LINEMERGE to what value?
SHOULD_LINEMERGE = false (Path: SPLUNK_HOME/etc/apps/mycustom_addon/local/props.conf)
What is the path for the serverclass.conf file stored for any given app?
SPLUNK_HOME/etc/apps/appname/local/serverclass.conf
What is the maximum number of pipeline sets Splunk can use?
Three
Match the type of input with its inputs.conf stanza header. One item will not be used. Scripted Input Network Input Monitoring input Invalid for input --- [monitor:///var/log/*\.log] [script://./bin/myvmstat.sh] [tcpout:splunk_indexer]
Scripted Input [script://./bin/myvmstat.sh] Invalid Input [tcpout:splunk_indexer] Monitoring input [monitor:///var/log/*\.log]
Which Splunk component consolidates the individual results and prepares reports in a distributed environment?
Search Head
In Splunk Cloud, apps are installed via the ________ and deployed via the ___________.
Search head, management app
Search Head props.conf is use for what?
Search-time Field Extractions, lookups, etc...
When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?
Server Class
What is returned with the following CLI command? splunk btool inputs list
Shows the on-disk configuration for inputs.conf
When you add a directory monitor and specify a ________ explicitly, it applies to all files in the directory and subdirectories.
Source type
What is the Splunk-managed streaming process service provided for Splunk Cloud?
Splunk Stream Processor Service (SPS)
When setting MAX_TIMESTAMP_LOOKAHEAD , how will we know whether Splunk finds a timestamp before we begin indexing events?
Splunk will provide a warning when we attempt to set the lookahead.
When using the Deployment Server to deploy a scripted input, what is the file location path of the script?
Splunk_home/etc/deployment-apps/<app>/bin/
What are the two options available for configuring Splunk to handle syslog data since it cannot be directly ingested?
Syslog data sent via an intermediate tier SC4S app collects and sends syslog data
Flow control across the entire input chain applies to which of the following? (Select all that apply)
TCP Scripted Input UDP
What attribute is a regular expression that matches characters right before the date/timestamp?
TIME_PREFIX
How to test a script?
Test your script from the context of an app and make sure it runs correctly. - On the test/dev server, copy the script to an app's bin directory - To test the script from the Splunk perspective, run splunk cmd scriptname ./splunk cmd ../etc/apps/<app>/bin/<myscript.sh>
Under what stanza and in what file would we find the expected SSL information on a receiver?
[ssl] inputs.conf
Under what stanza in outputs.conf would we find SSL configuration information on a forwarder?
[tcpout:name]
What is returned with the following CLI command? splunk show config inputs
The in-memory configuration for inputs.conf
Which of the following indexes come pre-configured with Splunk Enterprise?
_Internal _thefishbucket
In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?
To ensure that data has not been tampered with for auditing and/or legal purposes.
True/False Use SEDCMD to modify raw data
True
True/False: Federated Search is available for Classic customer adoption.
True
True/False: Hybrid search is not supported in the Victoria Experience.
True
True/False: Ingestion violations in Splunk Cloud are not enforced; they are monitored and adjustments to volume or infrastructure resourcing is done on usage review of consumption and to meet performance challenges and customer growth.
True
True/False: Just like Splunk Enterprise, Splunk Cloud can accept any text data as input.
True
True/False: SAML users are cached and written to file.
True
True/False: Splunk Cloud does not offer license pooling.
True
True/False: Splunk Cloud is hosted and supported by Splunk; one does not need one's own environment on-premises.
True
True/False: Standard HEC is enabled by default in Splunk Cloud.
True
True/False: Using Federated Search, we can only use generating SPL commands.
True
True/False: We can use the same queueSize and persistentQueueSize attributes to buffer scripted inputs as we do network inputs.
True
True/False: queuesize and maxQueueSize are independent of each other.
True
True/False TCP/UDP will need to be configured on UF/IF/HF as Cloud does not support direct connection.
True PG 152 for configuration details
What is the default character encoding used by Splunk during the input phase?
UTF-8
Match the forwarder data type with its characteristics: Types: -Unparsed -Parsed -Raw Characteristics: * Data sent unaltered over TCP and not converted into Splunk2Splunk format * Forwarded data skips indexer data pipelines precluding any further parsing * Data is collected and sent on with metadata * HF processes data into events, examines, tags, and then forwards/routes * Uses INDEXED_EXTRACTIONS, parsing, filtering, anonymizing, or routing in props.conf
Unparsed * Data is collected and sent on with metadata Parsed * HF processes data into events, examines, tags, and forwards/routes * Uses INDEXED_EXTRACTIONS, parsing, filtering, anonymizing or routing in props.conf * Forwarded data skips indexer data pipelines, precluding any further parsing Raw * Data sent unaltered over TCP and not converted into Splunk2Splunk format
We can use the _______ attribute to specify which network input streams are accepted by Splunk.
acceptFrom=
SH inputs.conf used for what?
What data is collected(internal splunk logs)
Indexer inputs.conf is used for what?
What data is collected; Which ports to listen to
In Search Head/Forwarder outputs.conf is used for what?
Where to forward data
_______ is a rule-based management system to allocate compute resources (CPU and memory) to search, indexing, and other user tasks.
Workload Management(WLM)
Data transfer "speed" limit = maxKBps = 256 under limits.conf [thruput] is the default?
Yes
Monitor Input Options are in inputs.conf?
Yes
Determine the index time configuration, based on the following: etc/system/local/inputs.conf contains: [default]host - server1 [monitor:///opt/log/www1/access.log] host=websvr1 etc/apps/unix/local/inputs.conf contains: [monitor:///var/log/secure.log] sourcetype = access_combined index =security etc/apps/search/local/inputs.conf contains: [monitor:///var/log/secure.log] host = logsvr1 sourcetype = linux_secure [monitor:///opt/log/www1/access.log] host = www1 sourcetype = access_combined_wcookie
[default] host - server1 [monitor:///var/log/secure.log] host = logsvr1 sourcetype = linux_secure index = security [monitor:///opt/log/www1/access.log] host = websvr1 sourcetype = access_combined_wcookie
Which stanza in deploymentclient.conf would we edit to override the default attributes?
[deployment-client]
What files are required for a deployment app?
app.conf and local.meta
Which of the following are required when defining an index in indexes.conf (select all that apply)
coldPath homePath thawedPath
When adding values to acceptFrom=, we separate rules with ___________ or __________.
commas or spaces
True/False Best Practice is to configure a forwarder to be a deployment client
false
What monitoring input option ignores a file's existing content and only indexes new data as it arrives?
followTail
Which setting in indexes.conf allows data retention to be controlled by time?
frozenTimePeriodInSecs
What are the default host, source, and sourcetype values for monitored inputs in inputs.conf?
host is defined in SPLUNK_HOME/etc/system/local/inputs.conf source = fully-qualified file name sourcetype = automatic
When the "MetaData" key is used in transforms.conf, its FORMAT value must be prefixed by ______________________________________.
host:: source:: sourcetype::
What attribute lets us set a hostname with a regular expression in inputs.conf?
host_regex=
What host_regex expression will capture all of these logs? /var/log/vmail_logs/iis_vmail1.log /var/log/vmail_logs/iis_vmail2.log /var/log/vmail_logs/iis_vmail3.log
host_regex=\w+(vmail.+)\.log$
When forwarding syslog data, it is considered best practice to use a single syslog collector that writes data into a directory structure which is then monitored. What attribute will be required to determine from what machine the data originated?
host_segment
Which Splunk configuration file is used to enable data integrity checking?
indexes.conf
Which .conf file on a forwarder gathers the local logs and system info?
inputs.conf
Where would we find this stanza?[splunktcp://9997]
inputs.conf on a receiver (intermediate forwarder or indexer)
The maximum speed, in kilobytes per second, that data is processed through the throughput process is set using the _____ value in _______.conf on a forwarder.
maxKBps limits.conf
How do you make maxKBps to unlimited
maxKBps=0
The CLI command splunk add forward-server indexer:<receiving-port> will create stanza(s) in which configuration file?
outputs.conf
Where are SSL credentials CONFIGURED on a forwarder?
outputs.conf
Where would we find this stanza? [tcpout] defaultGroup = default-group [tcpout:default-group] server = 10.2.3.4:9997 [tcpout-server://10.1.2.3:9997]
outputs.conf on a forwarder
When setting up scripted inputs in inputs.conf, what option facilitates safekeeping of run-user credentials?
passAuth
Custom timestamp extraction is specified in ____________________.conf.
props
At the cost of more resources (CPU and Memory), event boundaries can be defined in the ____ file of the Universal Forwarder.
props.conf
Custom timestamp extraction is specified in ___.
props.conf
In which Splunk configuration file is the SEDCMD used?
props.conf
In which Splunk configuration is the SEDCMD used? A. props.conf B. inputs.conf C. indexes.conf D. transforms.conf
props.conf
In which file would we find the following?[source::...\\store\\purchases.log] TRANSFORMS-1ccnum = cc_num_anon
props.conf
In which file would we find the following?[sourcetype]TRANSFORMS = STANZANAME
props.conf
Regarding field extractions, extraction directive EXTRACT is defined in ______ as single field extraction.
props.conf
The LINE_BREAKER attribute is configured in which configuration file?
props.conf
When using transforms, it is invoked from _____.conf and defined in ______.conf?
props/transforms
The memory queue is controlled by what attribute?
queuesize
Gathering transient data such as APIs, message queues, web services, custom transactions, et cetera, can be collected by using ______________ inputs.
scripted
In which file would we find the following? [cc-num-anon]REGEX = (. CC_NUM:\s) \d{12} (\d{4}. )DEST_KEY = _rawFORMAT = $1xxxxxxxxxxxxxxxxxx$2
transforms.conf
When monitoring usage in the Cloud Monitoring Console (CMC,) a(n) _______ trend may indicate increasing usage that may lead to performance issues, while a(n) _______ trend may indicate training or usability issues are impeding adoption or usability.
upward, downward