Which layers are involved in Splunk configuration file layering? (select all that apply)
When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?
Which default Splunk role could be assigned to provide users with the following capabilities?
Create saved searches
Edit shared objects and alerts
Not allowed to create custom roles
Which of the following are required when defining an index in indexes. conf? (select all that apply)
A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly to the indexer. Both sets of data require the masking of raw text strings before being written to disk. What does the administrator need to do to
ensure that the masking takes place successfully?
Which data pipeline phase is the last opportunity for defining event boundaries?
In a distributed environment, which Splunk component is used to distribute apps and configurations to the
other Splunk instances?
Which artifact is required in the request header when creating an HTTP event?
Which Splunk component performs indexing and responds to search requests from the search head?
A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?
For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?
What hardware attribute would need to be changed to increase the number of simultaneous searches (ad-hoc and scheduled) on a single search head?
An add-on has configured field aliases for source IP address and destination IP address fields. A specific user prefers not to have those fields present in their user context. Based on the defaultprops.confbelow, whichSPLUNK_HOME/etc/users/buttercup/myTA/local/props.confstanza can be added to the user’s local context to disable the field aliases?
An organization wants to collect Windows performance data from a set of clients, however, installing Splunk
software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?
Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that
apply.)
What event-processing pipelines are used to process data for indexing? (select all that apply)
A security team needs to ingest a static file for a specific incident. The log file has not been collected previously and future updates to the file must not be indexed.
Which command would meet these needs?
The following stanza is active in indexes.conf:
[cat_facts]
maxHotSpanSecs = 3600
frozenTimePeriodInSecs = 2630000
maxTota1DataSizeMB = 650000
All other related indexes.conf settings are default values.
If the event timestamp was 3739283 seconds ago, will it be searchable?
Within props. conf, which stanzas are valid for data modification? (select all that apply)
The Splunk administrator wants to ensure data is distributed evenly amongst the indexers. To do this, he runs
the following search over the last 24 hours:
index=*
What field can the administrator check to see the data distribution?
Which of the following are supported options when configuring optional network inputs?
Which setting in indexes. conf allows data retention to be controlled by time?
Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?
During search time, which directory of configuration files has the highest precedence?
The CLI command splunk add forward-server indexer:
which configuration file?
What is the difference between the two wildcards ... and - for the monitor stanza in inputs, conf?
Which of the following accurately describes HTTP Event Collector indexer acknowledgement?
Which file will be matched for the following monitor stanza in inputs. conf?
[monitor: ///var/log/*/bar/*. txt]
After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?
Where should apps be located on the deployment server that the clients pull from?
What are the values forhostandindexfor[stanza1]used by Splunk during index time, given the following configuration files?
Which Splunk component consolidates the individual results and prepares reports in a distributed environment?
Which of the following configuration files are used with a universal forwarder? (Choose all that apply.)
Where can scripts for scripted inputs reside on the host file system? (select all that apply)
Which of the following monitor inputs stanza headers would match all of the following files?
/var/log/www1/secure.log
/var/log/www/secure.l
/var/log/www/logs/secure.logs
/var/log/www2/secure.log
If an update is made to an attribute in inputs.conf on a universal forwarder, on which Splunk component
would the fishbucket need to be reset in order to reindex the data?