FiltersDone

Question type

Essay

Multiple Choice

Short Answer

True False

Matching

Exam 7: Splunk Core Certified Consultant

Show Answer

Share

---

All types

Filters

Study FlashcardsPractice ExamLearn

Question 21

Multiple Choice

Review LaterAdd Note

Review Later

A customer is using regex to whitelist access logs and secure logs from a web server, but only the access logs are being ingested. Which troubleshooting resource would provide insight into why the secure logs are not being ingested?

A) list monitor
B) oneshot
C) btprobe
D) tailingprocessor

E) B) and D)
F) A) and B)

Correct Answer

verified

Show Answer

Question 22

Multiple Choice

Review LaterAdd Note

Review Later

When monitoring and forwarding events collected from a file containing unstructured textual events, what is the difference in the Splunk2Splunk payload traffic sent between a universal forwarder (UF) and indexer compared to the Splunk2Splunk payload sent between a heavy forwarder (HF) and the indexer layer? (Assume that the file is being monitored locally on the forwarder.)

A) The payload format sent from the UF versus the HF is exactly the same. The payload size is identical because they're both sending 64K chunks.
B) The UF sends a stream of data containing one set of medata fields to represent the entire stream, whereas the HF sends individual events, each with their own metadata fields attached, resulting in a lager payload.
C) The UF will generally send the payload in the same format, but only when the sourcetype is specified in the inputs.conf and EVENT_BREAKER_ENABLE is set to true . The UF will generally send the payload in the same format, but only when the sourcetype is specified in the inputs.conf and EVENT_BREAKER_ENABLE is set to true .
D) The HF sends a stream of 64K TCP chunks with one set of metadata fields attached to represent the entire stream, whereas the UF sends individual events, each with their own metadata fields attached.

E) All of the above
F) B) and D)

Correct Answer

verified

Show Answer

Question 23

Multiple Choice

Review LaterAdd Note

When setting up a multisite search head and indexer cluster, which nodes are required to declare site membership?

What happens to the indexer cluster when the indexer Cluster Master (CM) runs out of disk space?

Consider the search shown below. What is this search's intended function?

The customer wants to migrate their current Splunk Index cluster to new hardware to improve indexing and search performance. What is the correct process and procedure for this task?

A [script://] input sends data to a Splunk forwarder using which method?

A customer has a number of inefficient regex replacement transforms being applied. When under heavy load the indexers are struggling to maintain the expected indexing rate. In a worst case scenario, which queue(s) would be expected to fill up?

Which statement is true about subsearches?

A customer has been using Splunk for one year, utilizing a single/all-in-one instance. This single Splunk server is now struggling to cope with the daily ingest rate. Also, Splunk has become a vital system in day-to-day operations making high availability a consideration for the Splunk service. The customer is unsure how to design the new environment topology in order to provide this. Which resource would help the customer gather the requirements for their new architecture?

Consider the scenario where the /var/log directory contains the files secure, messages, cron, audit . A customer has created the following inputs.conf stanzas in the same Splunk app in order to attempt to monitor the files secure and messages : Which file(s) will actually be actively monitored?

What is the primary driver behind implementing indexer clustering in a customer's environment?

Which of the following server.conf stanzas indicates the Indexer Discovery feature has not been fully configured (restart pending) on the Master Node?

A customer has asked for a five-node search head cluster (SHC) , but does not have the storage budget to use a replication factor greater than 2. They would like to understand what might happen in terms of the users' ability to view historic scheduled search results if they log onto a search head which doesn't contain one of the 2 copies of a given search artifact. Which of the following statements best describes what would happen in this scenario?

A Splunk Index cluster is being installed and the indexers need to be configured with a license master. After the customer provides the name of the license master, what is the next step?

An index receives approximately 50GB of data per day per indexer at an even and consistent rate. The customer would like to keep this data searchable for a minimum of 30 days. In addition, they have hourly scheduled searches that process a week's worth of data and are quite sensitive to search performance. Given ideal conditions (no restarts, nor drops/bursts in data volume) , and following PS best practices, which of the following sets of indexes.conf settings can be leveraged to meet the requirements?

A customer would like to remove the output_file capability from users with the default user role to stop them from filling up the disk on the search head with lookup files. What is the best way to remove this capability from users?

Which of the following processor occur in the indexing pipeline?

When utilizing a subsearch within a Splunk SPL search query, which of the following statements is accurate?

A customer has a network device that transmits logs directly with UDP or TCP over SSL. Using PS best practices, which ingestion method should be used?