NEW QUESTION 1
Which of the following are required when defining an index in indexes.conf? (Select all that apply.)

• A. coldPath
• B. homePath
• C. frozenPath
• D. thawedPath

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Indexesconf#PER_INDEX_OPTIONS

NEW QUESTION 2
What is the default character encoding used by Splunk during the input phase?

• A. UTF-8
• B. UTF-16
• C. EBCDIC
• D. ISO 8859

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Configurecharactersetencoding

NEW QUESTION 3
When configuring monitor inputs with whitelists or blacklists, what is the supported method of filtering the lists?

• A. Slash notation
• B. Regular expression
• C. Irregular expression
• D. Wildcard-only expression

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Updating/Filterclients

NEW QUESTION 4
For single line event sourcetypes, it is most efficient to set SHOULD_LINEMERGE
to what value?

• A. True
• B. False
• C. <regex string>
• D. Newline Character

Answer: B

Explanation:
Reference: https://answers.splunk.com/answers/704533/what-are-the-best-practices-for-defining-source-ty.html

NEW QUESTION 5
What are the required stanza attributes when configuring the transforms.conf to manipulate or remove events?

• A. REGEX, DEST, FORMAT
• B. REGEX, SRC_KEY, FORMAT
• C. REGEX, DEST_KEY, FORMAT
• D. REGEX, DEST_KEY, FORMATTING

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Transformsconf

NEW QUESTION 6
What options are available when creating custom roles? (Select all that apply.)

• A. Restrict search terms.
• B. Whitelist search terms.
• C. Limit the number of concurrent search jobs.
• D. Allow or restrict indexes that can be searched.

Answer: AD

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/Aboutusersandroles

NEW QUESTION 7
Where can scripts for scripted inputs reside on the host file system? (Select all that apply.)

• A. $SPLUNK_HOME/bin/scripts
• B. $SPLUNK_HOME/etc/apps/bin
• C. $SPLUNK_HOME/etc/system/bin
• D. $SPLUNK_HOME/etc/apps/<your_app>/bin

Answer: ACD

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/Getdatafromscriptedinputs#Where_to_place_the_scripts_for_scripted_inputs

NEW QUESTION 8
The priority of layered Splunk configuration files depends on the file’s:

• A. Owner
• B. Weight
• C. Context
• D. Creation time

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

NEW QUESTION 9
Which setting in indexes.conf allows data retention to be controlled by time?

• A. maxDaysToKeep
• B. moveToFrozenAfter
• C. maxDataRetentionTime
• D. frozenTimePeriodInSecs

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/SmartStoredataretention

NEW QUESTION 10
Which of the following are methods for adding inputs in Splunk? (Select all that apply.)

• A. CLI
• B. Splunk Web
• C. Editing inpits.conf
• D. Editing monitor.conf

Answer: AB

Explanation:
Reference: http://dev.splunk.com/view/dev -guide/SP-CAAAE3A

NEW QUESTION 11
Where should apps be located on the deployment server that the clients pull from?

• A. $SPLUNK_HOME/etc/apps
• B. $SPLUNK_HOME/etc/search
• C. $SPLUNK_HOME/etc/master-apps
• D. $SPLUNK_HOME/etc/deployment-apps

Answer: A

Explanation:
Reference: https://answers.splunk.com/answers/371099/how-to-configure-deployment-apps-to-push-to-client.html

NEW QUESTION 12
During search time, which directory of configuration files has the highest precedence?

• A. $SPLUNK_HOME/etc/system/local
• B. $SPLUNK_HOME/etc/system/default
• C. $SPLUNK_HOME/etc/apps/app1/local
• D. $SPLUNK_HOME/etc/users/admin/local

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

NEW QUESTION 13
What are the minimum required settings when creating a network input in Splunk?

• A. Protocol, port number
• B. Protocol, port, location
• C. Protocol, username, port
• D. Protocol, IP, port number

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Data/UsetheHTTPEventCollector

NEW QUESTION 14
Which Splunk component consolidates the individual results and prepares reports in a distributed environment?

• A. Indexers
• B. Forwarder
• C. Search head
• D. Search peers

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Advancedindexingstrategy

NEW QUESTION 15
Which of the following are supported configuration methods to add inputs on a forwarder? (Select all that apply.)

• A. CLI
• B. Edit inputs.conf
• C. Edit forwarder.conf
• D. Forwarder Management

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/Configuretheuniversalforwarder

NEW QUESTION 16
In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?

• A. To ensure that hot buckets are still open for writers and have not been forced to roll to a cold state.
• B. To ensure that configuration files have not been tampered with for auditing and/or legal purposes.
• C. To ensure that user passwords have not been tampered with for auditing and/or legal purposes.
• D. To ensure that data has not been tampered with for auditing and/or legal purposes.

Answer: D

Explanation:
Reference: https://www.splunk.com/blog/2015/10/28/data-integrity-is-back-baby.html

NEW QUESTION 17
What is required when adding a native user to Splunk? (Select all that apply.)

• A. Password
• B. Username
• C. Full Name
• D. Default app

Answer: CD

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/Addandeditusers

NEW QUESTION 18
How does the Monitoring Console monitor forwarders?

• A. By pulling internal logs from forwarders.
• B. By using the forwarder monitoring add-on.
• C. With internal logs forwarded by forwarders.
• D. With internal logs forwarder by deployment server.

Answer: A

NEW QUESTION 19
What type of data is counted against the Enterprise license at a fixed 150 bytes per event?

• A. License data
• B. Metrics data
• C. Internal Splunk data
• D. Internal Windows logs

Answer: B

Explanation:
Reference: https://answers.splunk.com/answers/581441/how-is-the-splunk-license-measured.html

NEW QUESTION 20
In this sourcetype definition the MAX_TIMESTAMP_LOOKAHEAD is missing. Which value would fit best?
[sshd_syslog] TIME_PREFIX = ^
TIME_FORMAT = %Y-%m-%d %H:%M:%S.%3N %z
LINE_BREAKER = ([rn]+)d{4}-d{2}-d{2} d{2}:d{2}:d{2} SHOUD_LINEMERGE = false
TRUNCATE = 0
Event example: 2021-04-13 13:42:41.214 -0500 server sshd[26219]: Connection from 172.0.2.60 port 47366

• A. MAX_TIMESTAMP_LOOKAHEAD = 5
• B. MAX_TIMESTAMP_LOOKAHEAD = 10
• C. MAX_TIMESTAMP_LOOKAHEAD = 20
• D. MAX_TIMESTAMP_LOOKAHEAD = 30

Answer: B

NEW QUESTION 21
Which Splunk component performs indexing and responds to search requests from the search head?

• A. Forwarder
• B. Search peer
• C. License master
• D. Search head cluster

Answer: B

Explanation:
Reference: https://www.edureka.co/blog/splunk-architecture/

NEW QUESTION 22
How would you configure your distsearch.conf to allow you to run the search below?
sourcetype=access_combined status=200 action=purchase splunk_server_group=HOUSTON

• A. [distributedSearch:NYC] default = false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON] default = falseservers = houston1:8089, houston2:8089
• B. [distributedSearch] servers =nyc1, nyc2, houston1, houston2 [distributedSearch:NYC] default = false servers = nyc1, nyc2 [distributedSearch:HOUSTON]default = false servers = houston1, houston2
• C. [distributedSearch] servers =nyc1:8089, nyc2:8089, houston1:8089, houston2:8089[distributedSearch:NYC] default= false servers = nyc1:8089, nyc2:8089 [distributedSearch:HOUSTON]default = falseservers = houston1:8089, houston2:8089
• D. [distributedSearch] servers =nyc1:8089; nyc2:8089; houston1:8089; houston2:8089[distributedSearch:NYC]default = false servers = nyc1:8089; nyc2:8089 [distributedSearch:HOUSTON] default = false servers = houston1:8089; houston2:8089

Answer: D

NEW QUESTION 23
Which Splunk component distributes apps and certain other configuration updates to search head cluster members?

• A. Deployer
• B. Cluster master
• C. Deployment server
• D. Search head cluster master

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/PropagateSHCconfigurationchanges

NEW QUESTION 24
Which of the following statements apply to directory inputs? (Select all that apply.)

• A. All discovered text files are consumed.
• B. Compressed files are ignored by default.
• C. Splunk recursively traverses through the directory structure.
• D. When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer: C

Explanation:
Reference: https://answers.splunk.com/answers/133875/recursive-monitoring-of -directories.html

NEW QUESTION 25
......