When adding a new search head to a search head cluster (SHC), which of the following scenarios occurs?
AThe new search head connects to the captain and replays any recent configuration changes to bring it up to date.
BThe new search head connects to the deployer and replays any recent configuration changes to bring it up to date.
CThe new search head connects to the captain and pulls the most recently deployed bundle. It then connects to the deployer and replays any recent configuration changes to bring it up to date.
DThe new search head connects to the deployer and pulls the most recently deployed bundle. It then connects to the captain and replays any recent configuration changes to bring it up to date.
A customer has a number of inefficient regex replacement transforms being applied. When under heavy load the indexers are struggling to maintain the expected indexing rate. In a worst case scenario, which queue(s) would be expected to fill up?
ATyping, merging, parsing, input
BParsing
CTyping
DIndexing, typing, merging, parsing, input
A customer is migrating their existing Splunk Indexer from an old set of hardware to a new set of indexers. What is the earliest method to migrate the system?
A
Add new indexers to the cluster as peers, in the same site (if needed). 2. Ensure new indexers receive common configuration. 3. Decommission old indexers (one at a time) to allow time for CM to fix/migrate buckets to new hardware. 4. Remove all the old indexers from the CM's list.
B
Add new indexers to the cluster as peers, to a new site. 2. Ensure new indexers receive common configuration from the CM. 3. Decommission old indexers (one at a time) to allow time for CM to fix/migrate buckets to new hardware. 4. Remove all the old indexers from the CM's list.
C
Add new indexers to the cluster as peers, in the same site. 2. Update the replication factor by +1 to Instruct the cluster to start replicating to new peers. 3. Allow time for CM to fix/migrate buckets to new hardware. 4. Remove all the old indexers from the CM's list.
D
Add new indexers to the cluster as new site. 2. Update cluster master (CM) server.conf to include the new available site. 3. Allow time for CM to fix/migrate buckets to new hardware. 4. Remove the old indexers from the CM's list.
Consider the search shown below.
What is this search's intended function?
ATo return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index.
BTo find all the denied, high severity events in the firewall index, and use those events to further search for lateral movement within the web index.
CTo return all the web_log events from the web index that occur two hours before and after all high severity, denied events found in the firewall index.
DTo search the firewall index for web logs that have been denied and are of high severity.
A customer would like to remove the output_file capability from users with the default user role to stop them from filling up the disk on the search head with lookup files. What is the best way to remove this capability from users?
ACreate a new role without the output_file capability that inherits the default user role and assign it to the users.
BCreate a new role with the output_file capability that inherits the default user role and assign it to the users.
CEdit the default user role and remove the output_file capability.
DClone the default user role, remove the output_file capability, and assign it to the users.
What happens to the indexer cluster when the indexer Cluster Master (CM) runs out of disk space?
AA warm standby CM needs to be brought online as soon as possible before an indexer has an outage.
BThe indexer cluster will continue to operate as long as no indexers fail.
CIf the indexer cluster has site failover configured in the CM, the second cluster master will take over.
DThe indexer cluster will continue to operate as long as a replacement CM is deployed within 24 hours.
Which event processing pipeline contains the regex replacement processor that would be called upon to run event masking routines on events as they are ingested?
AMerging pipeline
BIndexing pipeline
CTyping pipeline
DParsing pipeline
Which statement is correct?
AIn general, search commands that can be distributed to the search peers should occur as early as possible in a well-tuned search.
BAs a streaming command, streamstats performs better than stats since stats is just a reporting command.
CWhen trying to reduce a search result to unique elements, the dedup command is the only way to achieve this.
DFormatting commands such as fieldformat should occur as early as possible in the search to take full advantage of the often larger number of search peers.
A non-ES customer has a concern about data availability during a disaster recovery event. Which of the following Splunk Validated Architectures (SVAs) would be recommended for that use case?
A customer is using regex to whitelist access logs and secure logs from a web server, but only the access logs are being ingested. Which troubleshooting resource would provide insight into why the secure logs are not being ingested?
Alist monitor
Boneshot
Cbtprobe
Dtailingprocessor
Consider the scenario where the /var/log directory contains the files secure, messages, cron, audit. A customer has created the following inputs.conf stanzas in the same Splunk app in order to attempt to monitor the files secure and messages:
Which file(s) will actually be actively monitored?
Data can be onboarded using apps, Splunk Web, or the CLI.
Which is the PS preferred method?
ACreate UDP input port 9997 on a UF.
BUse the add data wizard in Splunk Web.
CUse the inputs.conf file.
DUse a scripted input to monitor a log file.
A customer has written the following search:
How can the search be rewritten to maximize efficiency?
A.
B.
C.
D.
Which of the following processor occur in the indexing pipeline?
Atcp out, syslog out
BRegex replacement, annotator
CAggregator
DUTF-8, linebreaker, header
The customer has an indexer cluster supporting a wide variety of search needs, including scheduled search, data model acceleration, and summary indexing.
Here is an excerpt from the cluster mater's server.conf:
Which strategy represents the minimum and least disruptive change necessary to protect the searchability of the indexer cluster in case of indexer failure?
AEnable maintenance mode on the CM to prevent excessive fix-up and bring the failed indexer back online.
BLeave replication_factor=2, increase search_factor=2 and enable summary_replication.
CConvert the cluster to multi-site and modify the server.conf to be site_replication_factor=2, site_search_factor=2.
DIncrease replication_factor=3, search_factor=2 to protect the data, and allow there to always be a searchable copy.
Which of the following statements applies to indexer discovery?
AThe Cluster Master (CM) can automatically discover new indexers added to the cluster.
BForwarders can automatically discover new indexers added to the cluster.
CDeployment servers can automatically configure new indexers added to the cluster.
DSearch heads can automatically discover new indexers added to the cluster.
Which of the following statements is true, as it pertains to search head clustering (SHC)?
ASHC is supported on AIX, Linux, and Windows operating systems.
BMaximum number of nodes for a SHC is 10.
CSHC members must run on the same hardware specifications.
DMinimum number of nodes for a SHC is 5.
Which statement is true about subsearches?
ASubsearches are faster than other types of searches.
BSubsearches work best for joining two large result sets.
CSubsearches run at the same time as their outer search.
DSubsearches work best for small result sets.
A customer has a new set of hardware to replace their aging indexers. What method would reduce the amount of bucket replication operations during the migration process?
ADisable the indexing ports on the old indexers.
BDisable replication ports on the old indexers.
CPut the old indexers into manual detention.
DPut the old indexers into automatic detention.
A [script://] input sends data to a Splunk forwarder using which method?
AUDP stream
BTCP stream
CTemporary file
DSTDOUT/STDERR
A customer wants to understand how Splunk bucket types (hot, warm, cold) impact search performance within their environment. Their indexers have a single storage device for all data. What is the proper message to communicate to the customer?
AThe bucket types (hot, warm, or cold) have the same search performance characteristics within the customer's environment.
BWhile hot, warm, and cold buckets have the same search performance characteristics within the customers environment, due to their optimized structure, the thawed buckets are the most performant.
CSearching hot and warm buckets result in best performance because by default the cold buckets are miniaturized by removing TSIDX files to save on storage cost.
DBecause the cold buckets are written to a cheaper/slower storage volume, they will be slower to search compared to hot and warm buckets which are written to Solid State Disk (SSD).
The customer wants to migrate their current Splunk Index cluster to new hardware to improve indexing and search performance. What is the correct process and procedure for this task?
A
Install new indexers. 2. Configure indexers into the cluster as peers; ensure they receive the same configuration via the deployment server. 3. Decommission old peers one at a time. 4. Remove old peers from the CM's list. 5. Update forwarders to forward to the new peers.
B
Install new indexers. 2. Configure indexers into the cluster as peers; ensure they receive the cluster bundle and the same configuration as original peers. 3. Decommission old peers one at a time. 4. Remove old peers from the CM's list. 5. Update forwarders to forward to the new peers.
C
Install new indexers. 2. Configure indexers into the cluster as peers; ensure they receive the same configuration via the deployment server. 3. Update forwarders to forward to the new peers. 4. Decommission old peers on at a time. 5. Restart the cluster master (CM).
D
Install new indexers. 2. Configure indexers into the cluster as peers; ensure they receive the cluster bundle and the same configuration as original peers. 3. Update forwarders to forward to the new peers. 4. Decommission old peers one at a time. 5. Remove old peers from the CM's list.
A customer has implemented their own Role Based Access Control (RBAC) model to attempt to give the Security team different data access than the Operations team by creating two new Splunk roles "" security and operations. In the srchIndexesAllowed setting of authorize.conf, they specified the network index under the security role and the operations index under the operations role. The new roles are set up to inherit the default user role.
If a new user is created and assigned to the operations role only, which indexes will the user have access to search?
Aoperations, network, _internal, _audit
Boperations
CNo Indexes
Doperations, network
A new single-site three indexer cluster is being stood up with replication_factor:2, search_factor:2. At which step would the Indexer Cluster be classed as "˜Indexing Ready' and be able to ingest new data?
Step 1: Install and configure Cluster Master (CM)/Master Node with base clustering stanza settings, restarting CM.
Step 2: Configure a base app in etc/master-apps on the CM to enable a splunktcp input on port 9997 and deploy index creation configurations.
Step 3: Install and configure Indexer 1 so that once restarted, it contacts the CM, download the latest config bundle.
Step 4: Indexer 1 restarts and has successfully joined the cluster.
Step 5: Install and configure Indexer 2 so that once restarted, it contacts the CM, downloads the latest config bundle
Step 6: Indexer 2 restarts and has successfully joined the cluster.
Step 7: Install and configure Indexer 3 so that once restarted, it contacts the CM, downloads the latest config bundle.
Step 8: Indexer 3 restarts and has successfully joined the cluster.
Preview
