Because Splunk indexing is read/write intensive, it is important to select the appropriate disk storage solution for each deployment. Which of the following statements is accurate about disk storage?
A. High performance SAN should never be used.
B. Enable NFS for storing hot and warm buckets.
C. The recommended RAID setup is RAID 10 (1 + 0).
D. Virtualized environments are usually preferred over bare metal for Splunk indexers.
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 2
Which of the following tasks should the architect perform when building a deployment plan? (Select all that apply.)
A. Use case checklist.
B. Install Splunk apps.
C. Inventory data sources.
D. Review network topology.
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 3
Which of the following statements describe search head clustering? (Select all that apply.)
A. A deployer is required.
B. At least three search heads are needed.
C. Search heads must meet the high-performance reference server requirements.
D. The deployer must have sufficient CPU and network resources to process service requests and push configurations.
Answer:
A,C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 4
What is the logical first step when starting a deployment plan?
A. Inventory the currently deployed logging infrastructure.
B. Determine what apps and use cases will be implemented.
C. Gather statistics on the expected adoption of Splunk for sizing.
D. Collect the initial requirements for the deployment from all stakeholders.
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 5
Which of the following options can improve reliability of syslog delivery to Splunk? (Select all that apply.)
A. Use TCP syslog.
B. Configure UDP inputs on each Splunk indexer to receive data directly.
C. Use a network load balancer to direct syslog traffic to active backend syslog listeners.
D. Use one or more syslog servers to persist data with a Universal Forwarder to send the data to Splunk indexers.
Answer:
C,D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 6
When Splunk is installed. where are the internal indexes stored by default?
A. SPLUNK_HOME/bin
B. SPLUNK_HOME/var/lib
C. SPLUNK_HOME/var/run
D. SPLUNK_HOME/etc/system/default
Answer:
B
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 7
What is a Splunk Job? (Select all that apply.)
A. A user-defined Splunk capability.
B. Searches that are subjected to some usage quota.
C. A search process kicked off via a report or an alert.
D. A child OS process manifested from the splunkd process.
Answer:
A
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 8
What is the default log size for Splunk internal logs?
A. 10MB
B. 20 MB
C. 25MB
D. 30MB
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 9
Which two sections can be expanded using the Search Job Inspector?
A. Execution costs.
B. Saved search history.
C. Search job properties.
D. Optimization suggestions.
Answer:
B,C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 10
A Splunk user successfully extracted an ip address into a field called src_ip. Their colleague cannot see that field in their search results with events known to have src_ip. Which of the following may explain the problem? (Select all that apply.)
A. The field was extracted as a private knowledge object.
B. The events are tagged as communicate, but are missing the network tag.
C. The Typing Queue, which does regular expression replacements, is blocked.
D. The colleague did not explicitly use the field in the search and the search was set to Fast Mode.
Answer:
D
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 11
When configuring a Splunk indexer cluster, what are the default values for replication and search factor?
A. replication_factor = 2search_factor = 2
B. replication_factor = 2search factor = 3
C. replication_factor = 3search_factor = 2
D. replication_factor = 3search factor = 3
Answer:
A
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 12
Consider a use case involving firewall dat a. There is no Splunk-supported Technical Add-On, but the vendor has built one. What are the items that must be evaluated before installing the add-on? (Select all that apply.)
A. Identify number of scheduled or real-time searches.
B. Validate if this Technical Add-On enables event data for a data model.
C. Identify the maximum number of forwarders Technical Add-On can support.
D. Verify if Technical Add-On needs to be installed onto both a search head or indexer.
Answer:
A,C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 13
In a distributed environment, knowledge object bundles are replicated from the search head to which location on the search peer(s)?
A. SPLUNK_HOME/var/lib/searchpeers
B. SPLUNK_HOME/var/log/searchpeers
C. SPLUNK_HOME/var/run/searchpeers
D. SPLUNK_HOME/var/spool/searchpeers
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 14
How does the average run time of all searches relate to the available CPU cores on the indexers?
A. Average run time is independent of the number of CPU cores on the indexers.
B. Average run time decreases as the number of CPU cores on the indexers decreases.
C. Average run time increases as the number of CPU cores on the indexers decreases.
D. Average run time increases as the number of CPU cores on the indexers increases.
Answer:
C
User Votes:
A
50%
B
50%
C
50%
D
50%
Discussions
0/ 1000
Question 15
As a best practice, where should the internal licensing logs be stored?