Deck 3: Splunk Certified Developer

A) By pulling internal logs from forwarders.
B) By using the forwarder monitoring add-on.
C) With internal logs forwarded by forwarders.
D) With internal logs forwarded by deployment server.

A) Search head
B) Heavy forwarder
C) Heaviest forwarder
D) Universal forwarder

A) CLI
B) Edit inputs.conf Edit inputs.conf
C) Edit forwarder.conf forwarder.conf
D) Forwarder Management

A) File path.
B) Username and password.
C) Network protocol and port number.
D) Network protocol and MAC address.

A) App context
B) User context
C) Global context
D) Forwarder context

A) Sending alerts
B) Compressing data
C) Obfuscating/hiding data
D) Indexer acknowledgement

A) UTF-8
B) UTF-16
C) EBCDIC
D) ISO 8859

A) Indexer
B) Forwarder
C) Cluster master
D) Deployment server

A) [distributedSearch:Paris] default = false servers = server1, server2
B) [ searchGroup:Paris] servers = server1:8089, server2:8089 [ searchGroup:Paris]
C) [searchGroup:Paris] servers = server1:9997, server2:9997
D) servers = server1:8089; server2:8089

A) Metadata override, sender filtering options, network input queues (quantum queues)
B) Metadata override, sender filtering options, network input queues (memory/persistent queues)
C) Filename override, sender filtering options, network output queues (memory/persistent queues)
D) Metadata override, receiver filtering options, network input queues (memory/persistent queues)

A) Deployer
B) Cluster master
C) Deployment server
D) Search head cluster master

A) License data
B) Metrics data
C) Internal Splunk data
D) Internal Windows logs

A) props.conf
B) inputs.conf
C) indexes.conf
D) transforms.conf

A) Restrict search terms.
B) Whitelist search terms.
C) Limit the number of concurrent search jobs.
D) Allow or restrict indexes that can be searched.

A) Blacklist
B) Whitelist
C) They cancel each other out.
D) Whichever is entered into the configuration first.

A) true
B) false
C)
D) Newline Character

A) Slash notation
B) Regular expression
C) Irregular expression
D) Wildcard-only expression

A) Input phase
B) Parsing phase
C) Indexing phase
D) Licensing phase

A) A token-based HTTP input that is secure and scalable and that requires the use of forwarders.
B) A token-based HTTP input that is secure and scalable and that does not require the use of forwarders.
C) An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.
D) A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

A) Hot buckets
B) Cold buckets
C) Warm buckets
D) Frozen buckets

A) props.conf
B) search.conf
C) distsearch.conf
D) distibutedsearch.conf

A) LDAP
B) SAML
C) RADIUS
D) Duo Multifactor Authentication

A) The blacklist takes precedence over the whitelist.
B) The whitelist takes precedence over the blacklist.
C) Wildcards are not supported in any client filters.
D) Machine type filters are applied before the whitelist and blacklist.

A) coldPath
B) homePath
C) frozenPath
D) thawedPath

A) The search head dispatches searches to the peers.
B) The search peers pull the data from the forwarders.
C) Peers run searches in parallel and return their portion of results.
D) The search head consolidates the individual results and prepares reports.

A) Any OS platform.
B) Linux platform only.
C) Windows platform only.
D) None of the above.

A) Forwarder
B) Search peer
C) License master
D) Search head cluster

A) Indexers, search head, universal forwarders, license master
B) Indexers, search head, deployment server, universal forwarders
C) Indexers, search head, deployment server, license master, universal forwarder
D) Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder

A) REGEX, DEST, FORMAT
B) REGEX, SRC_KEY, FORMAT
C) REGEX, DEST_KEY, FORMAT
D) REGEX, DEST_KEY, FORMATTING

A) inputs.conf
B) monitor.conf
C) outputs.conf
D) forwarder.conf

A) $SPLUNK_HOME/etc/secure
B) $SPLUNK_HOME/etc/system
C) $SPLUNK_HOME/etc/licenses
D) $SPLUNK_HOME/etc/apps/licenses

A) By restarting Splunk.
B) By rescanning active forwarders.
C) By reloading the deployment server.
D) By rebuilding the forwarder asset table.

A) index=main
B) index=test
C) index=summary
D) index=_internal

A) After a user logs in.
B) When Splunk is restarted.
C) When adding a new search peer.
D) When a distributed search is initiated.

A) App Class
B) Client Class
C) Server Class
D) Forwarder Class

A) Remove the $SPLUNK_HOME/etc/passwd file Remove the $SPLUNK_HOME/etc/passwd file
B) Create an empty $SPLUNK_HOME/etc/passwd file Create an empty
C) Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf
D) Set nativeAuthentication=false in authentication.conf nativeAuthentication=false authentication.conf

A) props.conf
B) inputs.conf
C) rawdata.conf
D) transforms.conf

A) Indexer
B) Forwarder
C) Search head
D) Deployment server

A) [udp://172.16.10.1:9997] connection = dns sourcetype = dns
B) [any://172.16.10.1:10001] connection_host = ip sourcetype = web
C) [tcp://172.16.10.1:9997] connection_host = web
D) [tcp://172.16.10.1:10001] connection_host = dns

A) /var/log/messages
B) /var/log/maillog
C) /var/log/maillog and /var/log/messages and
D) none of the above

A) inputs.conf
B) indexes.conf
C) outputs.conf
D) servers.conf

A) When Splunk is restarted.
B) When the maximum warm bucket age has been reached.
C) When the maximum warm bucket size has been reached.
D) When the maximum number of warm buckets is reached.

A) enabled
B) datasource
C) server_name
D) ignoreOlderThan

A) maxDaysToKeep
B) moveToFrozenAfter
C) maxDataRetentionTime
D) frozenTimePeriodInSecs

A) Duo Administrator
B) LDAP Administrator
C) SAML Administrator
D) Trio Administrator

A) Apps
B) Search
C) Data preview
D) Forwarder inputs

A) host
B) index
C) linecount
D) splunk_server

A) Sending alerts
B) Compressing data
C) Obfuscating/hiding data
D) Indexer acknowledgement

A) Data is treated as streams.
B) Data is broken up into events.
C) Data is initially written to disk.
D) Data is measured by the license meter.

A) $SPLUNK_HOME/etc
B) $SPLUNK_HOME/var
C) $SPLUNK_HOME/conf
D) $SPLUNK_HOME/default

A) Buy a bigger Splunk license.
B) Add 2.5 TB each day for the next 5 days.
C) Add all 10 TB in a single 24 hour period.
D) Add 200 GB of historical data each day for 50 days.

A) Use Local Windows host monitoring.
B) Use Windows Remote Inputs with WMI.
C) Use Local Windows network monitoring.
D) Use an index with an Index Data Type of Metrics.

A) Apps tab in forwarder management interface or clientapps.conf . Apps tab in forwarder management interface or clientapps.conf .
B) Clients tab in forwarder management interface or deploymentclient.conf . Clients tab in forwarder management interface or deploymentclient.conf
C) Server Classes tab in forwarder management interface or serverclass.conf . Server Classes tab in forwarder management interface or serverclass.conf
D) Client Applications tab in forwarder management interface or clientapps.conf . Client Applications tab in forwarder management interface or

A) Map Users
B) Map Groups
C) Map LDAP Inheritance
D) Map LDAP to Active Directory

A) 1
B) 3
C) 4
D) 5

A) Universal forwarder
B) Heaviest forwarder
C) Hyper forwarder
D) Heavy forwarder

A) Indexer
B) Deployer
C) Forwarder
D) Deployment server

A) CLI
B) Edit inputs.conf Edit inputs.conf
C) Edit forwarder.conf forwarder.conf
D) Forwarder Management

A) A list of all the configurations on-disk that Splunk contains.
B) A verbose list of all configurations as they were when splunkd started.
C) A list of props.conf configurations as they are on-disk along with a file path from which the configuration is located. A list of configurations as they are on-disk along with a file path from which the configuration is located.
D) A list of the current running props.conf configurations along with a file path from which the configuration was made. A list of the current running configurations along with a file path from which the configuration was made.

A) LDAP
B) SAML
C) RADIUS
D) Duo Multifactor Authentication

A) Every 5 minutes.
B) Each time a user logs in.
C) Each time Splunk is restarted.
D) Varies based on LDAP_refresh setting.

A) By pulling internal logs from forwarders.
B) By using the forwarder monitoring add-on.
C) With internal logs forwarded by forwarders.
D) With internal logs forwarder by deployment server.

A) $SPLUNK_HOME/etc/apps
B) $SPLUNK_HOME/etc/search
C) $SPLUNK_HOME/etc/master-apps
D) $SPLUNK_HOME/etc/deployment-apps

A) $SPLUNK_HOME/etc/system/local
B) $SPLUNK_HOME/etc/system/default
C) $SPLUNK_HOME/etc/apps/app1/local
D) $SPLUNK_HOME/etc/ users /admin/local

A) 1. Request Login 2. Connect to SAML server 3. Duo MFA 4. Create User session 5. Authentication Granted 6. Log into Splunk
B) 2. Duo MFA 3. Authentication Granted 4. Connect to SAML server 5. Log into Splunk 6. Create User session
C) 2. Check authentication / group mapping 4. Duo MFA 5. Create User session
D) 3. Check authentication / group mapping

A) [ udpout:mysplunk_indexer11] compression=true [ udpout:mysplunk_indexer11]
B) [tcpout] defaultGroup=my_indexers compressed=true
C) /opt/splunkforwarder/bin/splunk enable compression
D) [ tcpount:my_indexers] server=mysplunk_indexer1:9997, mysplunk_indexer2:9997 decompression=false tcpount:my_indexers] server=mysplunk_indexer1:9997, mysplunk_indexer2:9997

A) Requires an Enterprise license.
B) Is responsible for sending apps to forwarders.
C) Once used, is the only way to manage forwarders.
D) Can automatically restart the host OS running the forwarder.

A) ADFS
B) LDAP
C) SAML
D) RADIUS

A) _TCP_ROUTING
B) _INDEXER_LIST
C) _INDEXER_GROUP
D) _INDEXER_ROUTING

A) Restrict search terms.
B) Whitelist search terms.
C) Limit the number of concurrent search jobs.
D) Allow or restrict indexes that can be searched.

A) [distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] servers = houston1:8089, houston2:8089
B) [distributedSearch] servers =nyc1, nyc2, houston1, houston2 servers = nyc1, nyc2 servers = houston1, houston2
C) servers =nyc1:8089, nyc2:8089, houston1:8089, houston2:8089
D) servers =nyc1:8089; nyc2:8089; houston1:8089; houston2:8089 servers = nyc1:8089; nyc2:8089 servers = houston1:8089; houston2:8089

A) Parents
B) Capabilities
C) Index access
D) Search history

A) Owner
B) Weight
C) Context
D) Creation time

A) Indexers
B) Forwarder
C) Search head
D) Search peers

A) Requires an Enterprise license.
B) Is responsible for sending apps to forwarders.
C) Once used, is the only way to manage forwarders.
D) Can automatically restart the host OS running the forwarder.

A) The search head dispatches searches to the peers.
B) The search peers pull the data from the forwarders.
C) Peers run searches in parallel and return their portion of results.
D) The search head consolidates the individual results and prepares reports.

A) Disk
B) CPUs
C) Memory
D) Network interface cards

A) CLI
B) Splunk Web
C) Editing inpits.conf Editing inpits.conf
D) Editing monitor.conf monitor.conf

A) Protocol, port number
B) Protocol, port, location
C) Protocol, username, port
D) Protocol, IP, port number