Splunk Admin
Where can scripts for scripted inputs reside on the host file system? (Select all that apply)
$SPLUNK_HOME/bin/scripts $SPLUNK_HOME/etc/system/bin $SPLUNK_HOME/etc/apps/<your_app>/bin
Which parent directory contains the configurations files in Splunk?
$SPLUNK_HOME/etc
Where should apps be located on the deployment server that the clients pull from?
$SPLUNK_HOME/etc/deployment-apps
Where are license files stored?
$SPLUNK_HOME/etc/licenses
Local user accounts created in Splunk store passwords in which file?
$SPLUNK_HOME/etc/passwd
During search time, which directory of configuration files has the highest precedence?
$SPLUNK_HOME/etc/users/admin/local
What is the difference between the two wildcards ... and * for the monitor stanza in inputs.conf?
* matches anything in that specific directory path segment but does not go beyond that segment in the path; whereas ... recurses through directories and subdirectories to match.
This file has been manually created on a universal forwarder. /opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf [monitor:///var/log/messages] sourcetype=syslog index=syslog A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file /opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf [monitor:///var/log/maillog] sourcetype=maillog index=syslog What file is now monitored?
/var/log/maillog
What is the correct order of steps in Duo Multifactor Authentication?
1.) Request Login 2.) Check authentication / group mapping 3.) Authentication Granted 4.) Duo MFA 5.) Create User session 6.) Log into Splunk
You update a props.conf file while Splunk is running. You do not restart Splunk and you run this command: splunk btool propslist -debug What will the output be?
A list of props.conf configurations as they are on-disk along with a file path from which the configuration is located.
Which option accurately describes the purpose of the HTTP Event Collector (HEC)?
A token-based HTTP input that is secure and scalable and that does NOT require the use of forwarders.
Which of the following statements apply to directory inputs?
All discovered text files are consumed Splunk recursively traverses through the directory structure
Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?
Any OS platform
Which layers are involved in Splunk configuration file layering?
App context User context
In case of a conflict between a whitelist and a blacklist input setting, which one is used?
Blacklist
How do you remove missing forwarders from the Monitoring Console?
By rebuilding the forwarder asset table.
Which of the following are supported configuration methods to add inputs on a forwarder?
CLI Edit inputs.conf Forwarder Management
Which of the following are methods for adding inputs in Splunk? (Select all that apply)
CLI Splunk Web Editing monitor.conf
What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?
CPU's
User role inheritance allows what to be inherited from the parent role? (Select all that apply)
Capabilities Index access
The universal forwarder has which capabilities when sending data? (select all that apply)
Compressing data Indexer acknowledgement
The priority of layered Splunk configuration files depends on the file's:
Context
Which of the following is valid distribute search group? A. [distributedSearch:Paris] default = false servers = server1, server2 B. [searchGroup:Paris] default = false servers = server1:8089, server2:8089 C. [searchGroup:Paris] default = false servers = server1:9997, server2:9997 D. [distributedSearch:Paris] default = false servers = server1:8089, server2:8089
D. [distributedSearch:Paris] default = false servers = server1:8089, server2:8089
In this source definition the MAX_TIMESTAMP_LOOKHEAD is missing. Which value would fit best? [sshd_syslog] TIME_PREFIX = ^ TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z LINE_BREAKER = ([\r\n]+)\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2} SHOULD_LINEMERGE = false TRUNCATE = 0 Event example: 2018-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366 A. MAX_TIMESTAMP_LOOKAHEAD = 5 B. MAX_TIMESTAMP_LOOKAHEAD = 10 C. MAX_TIMESTAMP_LOOKAHEAD = 20 D. MAX_TIMESTAMP_LOOKAHEAD = 30
D. MAX_TIMESTAMP_LOOKAHEAD = 30
Which Splunk component distributes apps and certain other configuration updates to search head clusters members?
Deployer
How often does Splunk recheck the LDAP server
Each time a user logs in.
Which Splunk component requires a Forwarder license?
Heavy forwarder
Which Splunk forwarder type allows parsing of data before forwarding to an indexer?
Heavy forwarder
Which forwarder type can parse data prior to forwarding?
Heavy forwarder
Within props.conf, which stanzas are valid for data modification? (select all that apply).
Host Source Sourcetype
Which valid bucket types are searchable?
Hot buckets; Warm buckets; Cold buckets
Which Splunk component does a search head primarily communicate with?
Indexer
In which phase of the index time process does the license metering occur?
Indexing phase
Which authentication methods are natively supported with Splunk Enterprise?
LDAP SAML
Which of the following are supported options when configuring optional network inputs?
Metadata override, sender filtering options, network input queues (memory/persistent queues)
What type of data is counted against the Enterprise license at a fixed 150 bytes per event?
Metrics Data
To set up a network input in Splunk, what needs to be specified?
Network protocol and port number
When running the command shown below, what is the default path in which deployment server.conf is created? splunk set deploy-poll deployServer:port
SPLUNK_HOME/etc/system/local
What is required when adding a native user to Splunk?
Password Username
What are the minimum required settings when creating a network input in Splunk?
Protocol Port number
What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events?
REGEX, DEST_KEY, FORMAT
Which of the following authentication types requires scripting in Splunk?
Radius
When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?
Regular expression
What license does enterprise deployment require?
Requires an Enterprise license
What options are available when creating custom roles?
Restrict search terms Limit the number of concurrent search jobs Allow or restrict indexes that can be searched
What are the two methods Splunk uses for raw data transformations? (added ques)
SEDCMD (uses only props.conf) TRANSFORMS (uses props.conf and transforms.conf - more flexible - transforms matching events based on source, sourcetype, or host)
For single line event sourcetypes it is more efficient to set SHOULD_LINEMERGE to what value?
SHOULD_LINEMERGE = false (Path: SPLUNK_HOME/etc/apps/mycustom_addon/local/props.conf)
Which Splunk component consolidates the individual results and prepares reports in a distributed environment?
Search Head
Which Splunk component performs indexing and responds to search requests from the search head?
Search peer (Indexer)
When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?
Server Class
Which stanza enables compression for universal forwarders in outputs.conf?
[tcpout] defaultGroup=my_indexers compressed=true
Which of the following indexes come pre-configured with Splunk Enterprise?
_Internal _thefishbucket
Which of the following apply to how distributed search works? (select all that apply)
The search head dispatches searches to the peers Peers run searches in parallel and return their portion of results The search head consolidates the individual results and prepares reports
In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?
To ensure that data has not been tampered with for auditing and/or legal purposes.
What is the default character encoding used by Splunk during the input phase?
UTF-8
Which optional configuration setting in inputs.conf allows you to selectively forward the data to specific indexer(s)?
_TCP_ROUTING
How does the Monitoring Console monitor forwarders?
With internal logs forwarded by forwarders
How would you configure your distsearch conf to allow you to run the search below? sourcetype+access_combined status=200 action=purchase splunk_set ver_group=HOUSTON A) [distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089, houston2:8089 B) [distributedSearch] servers=nyc1, nyc2, houtston1, houston2 [distributedSearch:NYC] default = false servers = nyc1, nyc2 [distributedSearch:HOUSTON] default = false servers = houston1, houston2 C) [distributedSearch] servers = nyc1:8089; nyc2:8089; houston1:8089; houston2:8089 [distributedSearch:NYC] default = false servers = nyc1:8089; nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089; houston2:8089
[distributedSearch] servers = nyc1:8089, nyc2:8089, houston1:8089, houston2:8089 [distributed Search:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089, houston2:8089
Which of the following are required when defining an index in indexes.conf (select all that apply)
coldPath homePath thawedPath
Which setting in indexes.conf allows data retention to be controlled by time?
frozenTimePeriodInSecs
In which Splunk configuration file is the SEDCMD used?
props.conf