Deck 7: Splunk Core Certified Consultant

A) The SHC will function as expected as the SHC deployer will become the new captain until the network communication is restored.
B) The SHC will stop all scheduled search activity within the SHC.
C) The SHC will function as expected as the minimum required number of nodes for a SHC is 3.
D) The SHC will function as expected as the SHC captain will fall back to previous active captain in the remaining site.

A)
B)
C)
D)

A) Deployer sharing with master cluster.
B) License master that has 50 clients or more.
C) Cluster master node
D) Production Search Head

A) /var/log/secure
B) /var/log/messages
C) /var/log/messages , /var/log/cron , /var/log/audit , /var/log/secure , /var/log/cron /var/log/audit
D) /var/log/secure , /var/log/messages

A) Enable maintenance mode on the CM to prevent excessive fix-up and bring the failed indexer back online.
B) Leave replication_factor=2 , increase search_factor=2 and enable summary_replication . Leave replication_factor=2 , increase search_factor=2 and enable summary_replication .
C) Convert the cluster to multi-site and modify the server.conf to be site_replication_factor=2 , site _search_factor=2 . Convert the cluster to multi-site and modify the to be site_replication_factor=2 , site _search_factor=2
D) Increase replication_factor=3 , search_factor=2 to protect the data, and allow there to always be a searchable copy. Increase replication_factor=3 , to protect the data, and allow there to always be a searchable copy.

A) Carefully design smaller apps with specific configuration that can be reused.
B) Only deploy Splunk PS base configurations via the deployment server.
C) Use $ SPLUNK_HOME/etc/system/local configurations on forwarders and only deploy TAs via the deployment server. Use $ SPLUNK_HOME/etc/system/local configurations on forwarders and only deploy TAs via the deployment server.
D) Carefully design bigger apps containing multiple configs.

A) The MC uses a REST endpoint to query the server.
B) Roles are manually assigned within the MC.
C) Roles are read from distsearch.conf . Roles are read from distsearch.conf .
D) The MC assigns all possible roles by default.

A) Subsearches are faster than other types of searches.
B) Subsearches work best for joining two large result sets.
C) Subsearches run at the same time as their outer search.
D) Subsearches work best for small result sets.

A) API: Python script with PAM/RADIUS details.
B) LDAP server: port, bind user credentials, path/to/groups, path/to/ user.
C) LDAP server: port, bind user credentials, base DN for groups, base DN for users.
D) LDAP REST details, base DN for groups, base DN for users.

A) The bucket types (hot, warm, or cold) have the same search performance characteristics within the customer's environment.
B) While hot, warm, and cold buckets have the same search performance characteristics within the customers environment, due to their optimized structure, the thawed buckets are the most performant.
C) Searching hot and warm buckets result in best performance because by default the cold buckets are miniaturized by removing TSIDX files to save on storage cost.
D) Because the cold buckets are written to a cheaper/slower storage volume, they will be slower to search compared to hot and warm buckets which are written to Solid State Disk (SSD).

A) 1. Install new indexers. 2. Configure indexers into the cluster as peers; ensure they receive the same configuration via the deployment server. 3. Decommission old peers one at a time. 4. Remove old peers from the CM's list. 5. Update forwarders to forward to the new peers.
B) 2. Configure indexers into the cluster as peers; ensure they receive the cluster bundle and the same configuration as original peers.
C) 3. Update forwarders to forward to the new peers. 4. Decommission old peers on at a time. 5. Restart the cluster master (CM).
D) 4. Decommission old peers one at a time. 5. Remove old peers from the CM's list.

A) Disable the indexing ports on the old indexers.
B) Disable replication ports on the old indexers.
C) Put the old indexers into manual detention.
D) Put the old indexers into automatic detention.

A) To improve resiliency as the search load increases.
B) To reduce indexing latency.
C) To scale out a Splunk environment to offer higher performance capability.
D) To provide higher availability for buckets of data.

A) UDP stream
B) TCP stream
C) Temporary file
D) STDOUT/STDERR

A) For non-production environments to keep their configurations in sync.
B) To ensure every customer has exactly the same base settings.
C) To provide settings that do not need to be customized to meet customer requirements.
D) To provide settings that can be customized to meet customer requirements.

A) Create a tiered deployment server topology.
B) Reduce the phone home interval to 6 seconds.
C) Leave the phone home interval at 60 seconds.
D) Increase the phone home interval to 600 seconds.

A) AUTO_KV_JSON
B) BREAK_ONLY_BEFORE_DATE
C) SHOULD_LINEMERGE
D) ANNOTATE_PUNCT

A) Create UDP input port 9997 on a UF.
B) Use the add data wizard in Splunk Web.
C) Use the inputs.conf file. Use the inputs.conf file.
D) Use a scripted input to monitor a log file.

A) The search head that the user has logged onto will proxy the required artifact over to itself from a search head that currently holds a copy. A copy will also be replicated from that search head permanently, so it is available for future use.
B) Because the dispatch folder containing the search results is not present on the search head, the user will not be able to view the search results.
C) The user will not be able to see the results of the search until one of the search heads is restarted, forcing synchronization of all dispatched artifacts across all search heads.
D) The user will not be able to see the results of the search until the Splunk administrator issues the apply shcluster-bundle command on the search head deployer, forcing synchronization of all dispatched artifacts across all search heads. The user will not be able to see the results of the search until the Splunk administrator issues the apply shcluster-bundle command on the search head deployer, forcing synchronization of all dispatched artifacts across all search heads.

A)
B)
C)
D)

A) full
B) merge_to_default
C) default_only
D) local_only

A) Search head cluster members, deployer, indexers, cluster master
B) Search head cluster members, deployment server, deployer, indexers, cluster master
C) All splunk nodes, including forwarders, must declare site membership
D) Search head cluster members, indexers, cluster master

A) All universal forwarders.
B) Only the indexers.
C) All heavy forwarders.
D) On all parsing Splunk instances.

A) Open a TCP port with SSL on a heavy forwarder to parse and transmit the data to the indexing tier.
B) Open a UDP port on a universal forwarder to parse and transmit the data to the indexing tier.
C) Use a syslog server to aggregate the data to files and use a heavy forwarder to read and transmit the data to the indexing tier. Use a syslog server to aggregate the data to files and use a heavy forwarder to read and transmit the data to the indexing tier.
D) Use a syslog server to aggregate the data to files and use a universal forwarder to read and transmit the data to the indexing tier. server to aggregate the data to files and use a universal forwarder to read and transmit the data to the indexing tier.

A) Subsearches have to be initiated with the | subsearch command. Subsearches have to be initiated with the | subsearch command.
B) Subsearches can only be utilized with | inputlookup command. Subsearches can only be utilized with | inputlookup
C) Subsearches have a default result output limit of 10000.
D) There are no specific limitations when using subsearches.

A) list monitor
B) oneshot
C) btprobe
D) tailingprocessor

A) Customer should look at the category tables, pick the highest number that their budget permits, then select this design topology as the chosen design.
B) Customers should identify their requirements, provisionally choose an approved design that meets them, then consider design principles and best practices to come to an informed design decision.
C) Using the guided requirements gathering in the SVAs document, choose a topology that suits requirements, and be sure not to deviate from the specified design.
D) Choose an SVA topology code that includes Search Head and Indexer Clustering because it offers the highest level of resilience.

A) Configure site_search_factor to ensure a searchable copy exists in the local site for each search head. Configure site_search_factor to ensure a searchable copy exists in the local site for each search head.
B) Move all indexers and search heads in one of the data centers into the same site.
C) Install a network pipe with more bandwidth between the two data centers.
D) Set the site setting on each indexer in the server.conf clustering stanza to be the same for all indexers regardless of site. Set the site setting on each indexer in the server.conf clustering stanza to be the same for all indexers regardless of site.

A) Each HEC input requires a unique name but token values can be shared.
B) Each HEC input requires an existing forwarder output group.
C) Each HEC input entry must contain a valid token.
D) Each HEC input requires a Source name field.

A) find / -name server.conf -print | grep pass4SymKey
B) $SPLUNK_HOME/bin/splunk search | rest splunk_server=local /servicesNS/-/unhash_app/storage/passwords
C) $SPLUNK_HOME/bin/splunk btool server list clustering | grep pass4SymmKey
D) $SPLUNK_HOME/bin/splunk btool clustering list clustering --debug | grep pass4SymmKey

A) The Cluster Master (CM) can automatically discover new indexers added to the cluster.
B) Forwarders can automatically discover new indexers added to the cluster.
C) Deployment servers can automatically configure new indexers added to the cluster.
D) Search heads can automatically discover new indexers added to the cluster.

A) 1. Add new indexers to the cluster as peers, in the same site (if needed). 2. Ensure new indexers receive common configuration. 3. Decommission old indexers (one at a time) to allow time for CM to fix/migrate buckets to new hardware. 4. Remove all the old indexers from the CM's list.
B) 1. Add new indexers to the cluster as peers, to a new site. 2. Ensure new indexers receive common configuration from the CM.
C) 1. Add new indexers to the cluster as peers, in the same site. 2. Update the replication factor by +1 to Instruct the cluster to start replicating to new peers. 3. Allow time for CM to fix/migrate buckets to new hardware.
D) 1. Add new indexers to the cluster as new site. 2. Update cluster master (CM) server.conf to include the new available site. 4. Remove the old indexers from the CM's list. 2. Update cluster master (CM) server.conf to include the new available site.

A) The search needs to be modified to ensure the lookup command specifies parameter local=true . The search needs to be modified to ensure the command specifies parameter local=true .
B) The blacklisted lookup definition stanza needs to be modified to specify setting allow_caching=true . The blacklisted definition stanza needs to be modified to specify setting allow_caching=true
C) The search needs to be modified to ensure the lookup command specified parameter blacklist=false . command specified parameter blacklist=false
D) The lookup cannot be blacklisted; the change must be reverted. The cannot be blacklisted; the change must be reverted.

A) Enter the license master configuration via Splunk web on each indexer before disabling Splunk web.
B) Update /opt/splunk/etc/master-apps/_cluster/default/server.conf on the cluster master and apply a cluster bundle. Update /opt/splunk/etc/master-apps/_cluster/default/server.conf on the cluster master and apply a cluster bundle.
C) Update the Splunk PS base config license app and copy to each indexer.
D) Update the Splunk PS base config license app and deploy via the cluster master.

A) To return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index. To return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index.
B) To find all the denied, high severity events in the firewall index, and use those events to further search for lateral movement within the web index. To find all the denied, high severity events in the index, and use those events to further search for lateral movement within the
C) To return all the web_log events from the web index that occur two hours before and after all high severity, denied events found in the firewall index. index that occur two hours before and after all high severity, denied events found in the
D) To search the firewall index for web logs that have been denied and are of high severity. To search the index for web logs that have been denied and are of high severity.

A) $SPLUNK_HOME/etc/
B) $SPLUNK_HOME/etc/apps
C) $SPLUNK_HOME/etc/system/local
D) $SPLUNK_HOME/etc/slave-apps

A) All indexers with a copy of the bucket will delete it.
B) The cluster master will ensure another copy of the bucket is made on the other peers to meet the replication settings.
C) The cluster master will no longer perform fix-up activities for the bucket.
D) All indexers with a copy of the bucket will immediately roll it to frozen.

A) Splunk generates a SAML assertion that authenticates the user.
B) The Service Provider (SP) decodes the SAML request and authenticates the user.
C) The Identity Provider (IDP) decodes the SAML request and authenticates the user.
D) The Service Provider (SP) generates a SAML assertion that authenticates the user.

A) Extracts the top 10 fields.
B) Extracts metadata fields such as host , source , sourcetype . Extracts metadata fields such as host , source sourcetype .
C) Performs parsing, merging, and typing processes on universal forwarders.
D) Create report acceleration summaries.

A) Create a new role without the output_file capability that inherits the default user role and assign it to the users. Create a new role without the capability that inherits the default user role and assign it to the users.
B) Create a new role with the output_file capability that inherits the default user role and assign it to the users. Create a new role with the
C) Edit the default user role and remove the output_file capability. Edit the default user role and remove the capability.
D) Clone the default user role, remove the output_file capability, and assign it to the users. Clone the default user role, remove the capability, and assign it to the users.

A) The captain is not a cluster member and does not perform normal search activities.
B) The captain is a cluster member who performs normal search activities.
C) The captain is not a cluster member but does perform normal search activities.
D) The captain is a cluster member but does not perform normal search activities.

A) Direct the customer to the docs.splunk.com and tell them that all the information to help them select the right design is documented there.
B) Ask the customer to engage with the sales team immediately as they probably need a larger license.
C) Refer the customer to answers.splunk.com as someone else has probably already designed a system that meets their requirements.
D) Refer the customer to the Splunk Validated Architectures document in order to guide them through which approved architectures could meet their requirements.

A) $SPLUNK_HOME/var/lib/splunk/indexfoo/db/db_1553504858_1553504507_8
B) $SPLUNK_HOME/var/lib/splunk/indexfoo/db/db_1553504858_1553504507_8/*.tsidx
C) $SPLUNK_HOME/var/lib/splunk/fishbucket
D) $SPLUNK_HOME/var/lib/splunk/indexfoo/db/db_1553504858_1553504507_8/rawdata

A) Work with the cloud orchestration team to create a common host-naming convention for these systems so a simple pattern can be used in the serverclass.conf whitelist attribute. Work with the cloud orchestration team to create a common host-naming convention for these systems so a simple pattern can be used in the serverclass.conf whitelist attribute.
B) Create a CSV lookup file for each severclass, manually keep track of the endpoints within this CSV file, and leverage the whitelist.from_pathname attribute in serverclass.conf . Create a CSV lookup file for each severclass, manually keep track of the endpoints within this CSV file, and leverage the whitelist.from_pathname attribute in .
C) Work with the cloud orchestration team to dynamically insert an appropriate clientName setting into each endpoint's local/deploymentclient.conf which can be matched by whitelist in serverclass.conf . Work with the cloud orchestration team to dynamically insert an appropriate clientName setting into each endpoint's local/deploymentclient.conf which can be matched by whitelist in
D) Using an installation bootstrap script run a CLI command to assign a clientName setting and permit serverclass.conf whitelist simplification. Using an installation bootstrap script run a CLI command to assign a setting and permit whitelist simplification.

A) A warm standby CM needs to be brought online as soon as possible before an indexer has an outage.
B) The indexer cluster will continue to operate as long as no indexers fail.
C) If the indexer cluster has site failover configured in the CM, the second cluster master will take over.
D) The indexer cluster will continue to operate as long as a replacement CM is deployed within 24 hours.

A) tcp out, syslog out
B) Regex replacement, annotator
C) Aggregator
D) UTF-8, linebreaker, header

A) When joining results from multiple indexes.
B) When dynamically filtering hosts.
C) When filtering indexed fields.
D) When joining multiple large datasets.

A) All replicated copies will be rolled to frozen; original copies will remain.
B) Replicated copies of the bucket will remain on all other indexers and the Cluster Master (CM) assigns a new primary bucket.
C) The bucket rolls to frozen on all clustered indexers simultaneously.
D) Nothing. Replicated copies of the bucket will remain on all other indexers until a local retention rule causes it to roll.

A)
B)
C)
D)

A) Typing, merging, parsing, input
B) Parsing
C) Typing
D) Indexing, typing, merging, parsing, input

A) Topology Category Code: M4
B) Topology Category Code: M14
C) Topology Category Code: C13
D) Topology Category Code: C3

A) Merging pipeline
B) Indexing pipeline
C) Typing pipeline
D) Parsing pipeline

A) The updated dashboard will not be deployed globally to all users, due to the conflict with the power user's modified version of the dashboard.
B) Applying the search head cluster bundle will fail due to the conflict.
C) The updated dashboard will be available to the power user.
D) The updated dashboard will not be available to the power user; they will see their modified version.

A) frozenTimePeriodInSecs, maxDataSize, maxVolumeDataSizeMB, maxHotBuckets
B) maxDataSize, maxTotalDataSizeMB, maxHotBuckets, maxGlobalDataSizeMB
C) maxDataSize, frozenTimePeriodInSecs, maxVolumeDataSizeMB
D) frozenTimePeriodInSecs, maxWarmDBCount, homePath.maxDataSizeMB, maxHotSpanSecs

A) Monitoring (via a process), collecting data (modular inputs) from remote systems/applications
B) Modular inputs, HTTP Event Collector (HEC), inputs.conf monitor stanza Modular inputs, HTTP Event Collector (HEC), inputs.conf monitor stanza
C) Actively listening on ports, monitoring (via a process), collecting data from remote systems/applications
D) splunktcp , splunktcp-ssl , HTTP Event Collector (HEC) splunktcp , splunktcp-ssl , HTTP Event Collector (HEC)

A) Search Job Inspector provides statistics to show how much time and the number of events each indexer has processed.
B) Search Job Inspector provides a Search Health Check capability that provides an optimized SPL query the customer should try instead.
C) Search Job Inspector cannot be used to help troubleshoot the slow performing search; customer should review index=_introspection instead. Search Job Inspector cannot be used to help troubleshoot the slow performing search; customer should review index=_introspection instead.
D) The customer is using the transaction SPL search command, which is known to be slow. The customer is using the transaction SPL search command, which is known to be slow.

A) The payload format sent from the UF versus the HF is exactly the same. The payload size is identical because they're both sending 64K chunks.
B) The UF sends a stream of data containing one set of medata fields to represent the entire stream, whereas the HF sends individual events, each with their own metadata fields attached, resulting in a lager payload.
C) The UF will generally send the payload in the same format, but only when the sourcetype is specified in the inputs.conf and EVENT_BREAKER_ENABLE is set to true . The UF will generally send the payload in the same format, but only when the sourcetype is specified in the inputs.conf and EVENT_BREAKER_ENABLE is set to true .
D) The HF sends a stream of 64K TCP chunks with one set of metadata fields attached to represent the entire stream, whereas the UF sends individual events, each with their own metadata fields attached.

A)
B)
C)
D)

A) No changes are necessary, the Monitoring Console has self-configuration capabilities.
B) Using the MC setup UI, review and apply the changes.
C) Remove and re-add the cluster master from the indexer clustering UI page to add new peers, then apply the changes under the MC setup UI.
D) Each new indexer needs to be added using the distributed search UI, then settings must be saved under the MC setup UI.

A) Indexing
B) Typing
C) Merging
D) Parsing

A) The internal Splunk authentication will take precedence.
B) Authentication will only succeed if the password is the same in both systems.
C) The LDAP user account will take precedence.
D) Splunk will error as it does not support overlapping usernames