A user has been asked to mask some sensitive data without tampering with the structure of the file /var/log/purchases/transactions.log that has the following format:
2020-01-01 00:01:20 User=bob SuperSecretNumber=123456789012 Operation=purchase
2020-01-01 16:15:32 User=alice SuperSecretNumber=123456789012 Operation=purchase
Which of the stanzas below will achieve this?
A
B
C
D
0
Question 2
Forwarder Management
0
Question 3
Working with Splunk Cloud Support
0
Question 4
Manipulating Raw Data
0
Question 5
Forwarder Management
0
That's the end of the Preview
This exam has 60 community-verified practice questions. Create a free account to access all questions, comments, and explanations.
Topics covered:
Splunk Cloud OverviewIndex ManagementUser Authentication and AuthorizationSplunk Configuration FilesGetting Data in CloudForwarder ManagementMonitor InputsNetwork and Other InputsFine-tuning InputsParsing Phase and Data PreviewManipulating Raw DataInstalling and Managing AppsWorking with Splunk Cloud Support
Which of the following takes place during the input phase?
ASplunk annotates data with only 3 metadata keys: host, source, and sourcetype.
BSplunk sets the character encoding of the data.
CSplunk looks at the contents of the data to apply the correct source.
DSplunk breaks data into individual lines.
What syntax is required in inputs.conf to ingest data from files or directories?
AA monitor stanza, sourcetype, and index is required to ingest data.
BA monitor stanza, sourcetype, index, and host is required to ingest data.
CA monitor stanza and sourcetype is required to ingest data.
DOnly the monitor stanza is required to ingest data.
Which file or folder below is not a required part of a deployment app?
Aapp.conf (in default or local)
Blocal.meta
Cmetadata folder
Dprops.conf
Where does the regex-replacement processor run?
AMerging pipeline
BTyping pipeline
CIndex pipeline
DParsing pipeline
How are HTTP Event Collector (HEC) tokens configured in a managed Splunk Cloud environment?
AAny token will be accepted by HEC, the data may just end up in the wrong index.
BA token is generated when configuring a HEC input, which should be provided to the application developers.
CObtain a token from the organization’s application developers and apply it in Settings > Data Inputs > HTTP Event Collector > New Token.
DOpen a support case for each new data input and a token will be provided.
Li was asked to create a Splunk configuration to monitor syslog files stored on Linux servers at their organization. This configuration will be pushed out to multiple systems via a Splunk app using the on-prem deployment server.
The system administrators have provided Li with a directory listing for the logging locations on three syslog hosts, which are representative of the file structure for all systems collecting this data. An example from each system is shown below:
Host: us-syslog-01 -
File path: /var/log/network/us-syslog-01/linux_secure/syslog.log.2020090801
Which monitor:// stanza could Li use in their app to ensure all three of these files are ingested into Splunk?
Which of the following are features of a managed Splunk Cloud environment?
AAvailability of premium apps, no IP address whitelisting or blacklisting, deployed in US East AWS region.
B20GB daily maximum data ingestion, no SSO integration, no availability of premium apps.
CAvailability of premium apps, SSO integration, IP address whitelisting and blacklisting.
DAvailability of premium apps, SSO integration, maximum concurrent search limit of 20.
What does the followTail attribute do in inputs.conf?
APauses a file monitor if the queue is full.
BOnly creates a tail checkpoint of the monitored file.
CIngests a file starting with new content and then reading older events.
DPrevents pre-existing content in a file from being ingested.
A monitor has been created in inputs.conf for a directory that contains a mix of file types.
How would a Cloud Admin fine-tune assigned sourcetypes for different files in the directory during the input phase?
AOn the Indexer parsing the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza.
BOn the forwarder collecting the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza.
COn the Indexer parsing the data, set multiple sourcetype_source attributes for the directory monitor collecting the files. Then create a props.conf that filters out unwanted files.
DOn the forwarder collecting the data, set multiple sourcetype_source attributes for the directory monitor collecting the files. Then create a props.conf that filters out unwanted files.
Which of the following files is used for both search-time and index-time configuration?
Ainputs.conf
Bprops.conf
Cmacros.conf
Dsavedsearch.conf
What Splunk command will allow an administrator to view the runtime configuration instructions for a monitored file in inputs.conf on the forwarders?
D[monitor:///apache/foo/logs, /apache/bar/logs, and /apache/bar/1/logs]
When monitoring network inputs, there will be times when the forwarder is unable to send data to the indexers. Splunk uses a memory queue and a disk queue.
Which setting is used for the disk queue?
AqueueSize
BmaxQueueSize
CdiskQueueSize
DpersistentQueueSize
At what point in the indexing pipeline set is SEDCMD applied to data?
AIn the aggregator queue
BIn the parsing queue
CIn the exec pipeline
DIn the typing pipeline
In what scenarios would transforms.conf be used?
APer-Event Index Routing, Applying Event Types, SEDCMD operations
BPer-Event Sourcetype, Per-Event Host Name, Per-Event Index Routing
CPer-Event Host Name, Per-Event Index Routing, SEDCMD operations
DPer-Event Sourcetype, Per-Event Index Routing, Applying Event Types
