Splunk SPLK-3003 Core Certified Consultant || with Error-
free Solutions.
How does Monitoring Console (MC) initially identify the server role(s) of a new Splunk
Instance?
A. The MC uses a REST endpoint to query the server.
B. Roles are manually assigned within the MC.
C. Roles are read from distsearch.conf.
D. The MC assigns all possible roles by default. correct answers A (Core slides pg. 67, initially
guesses using REST, then looks at distsearch.conf)
The universal forwarder (UF) should be used whenever possible, as it is smaller and more
efficient. In which of the following scenarios would a heavy forwarder (HF) be a more
appropriate choice?
A. When a predictable version of Python is required.
B. When filtering 10%-15% of incoming events.
C. When monitoring a log file.
D. When running a script. correct answers A ( Use the universal forwarder whenever possible, it
is smaller and more efficient. Only use a heavy forwarder when: • The UI is needed • Advanced
event-level routing is needed • You are filtering more than 80% of incoming events •
Anonymizing or masking data before forwarding to indexer • Predictable version of Python is
needed • Required by an app/modular input (HEC, DBX, Checkpoint OPSEC LEA)
When monitoring and forwarding events collected from a file containing unstructured textual
events, what is the difference in the Splunk2Splunk payload traffic sent between a universal
forwarder (UF) and indexer compared to the Splunk2Splunk payload sent between a heavy
forwarder (HF) and the indexer layer? (Assume that the file is being monitored locally on the
forwarder.)
A. The payload format sent from the UF versus the HF is exactly the same. The payload size is
identical because they're both sending 64K chunks.
B. The UF sends a stream of data containing one set of medata fields to represent the entire
stream, whereas the HF sends individual events, each with their own metadata fields attached,
resulting in a larger payload.
C. The UF will generally send the payload in the same format, but only when the sourcetype is
specified in the inputs.conf and EVENT_BREAKER_ENABLE is set to true.
D. The HF sends a stream correct answers B (HF adds data / parsing resulting in larger payload)
A non-ES customer has a concern about data availability during a disaster recovery event. Which
of the following Splunk Validated Architectures (SVAs) would be recommended for that use
case?
A. Topology Category Code: M4
,B. Topology Category Code: M14
C. Topology Category Code: C13
D. Topology Category Code: C3 correct answers A
Non-ES means it will not start with 10+
Data Availability means an indexer is always available
Disaster Recovery means it can tolerate a site outage
(pg 36 & 333, Core Notes)
Which event processing pipeline contains the regex replacement processor that would be called
upon to run event masking routines on events as they are ingested?
A. Merging pipeline
B. Indexing pipeline
C. Typing pipeline
D. Parsing pipeline correct answers C (https://wiki.splunk.com/Community:HowIndexingWorks)
Which statement is correct?
A. In general, search commands that can be distributed to the search peers should occur as early
as possible in a well-tuned search.
B. As a streaming command, streamstats performs better than stats since stats is just a reporting
command.
C. When trying to reduce a search result to unique elements, the dedup command is the only way
to achieve this.
D. Formatting commands such as fieldformat should occur as early as possible in the search to
take full advantage of the often larger number of search peers. correct answers A
In addition to the normal responsibilities of a search head cluster captain, which of the following
is a default behavior?
A. The captain is not a cluster member and does not perform normal search activities.
B. The captain is a cluster member who performs normal search activities.
C. The captain is not a cluster member but does perform normal search activities.
D. The captain is a cluster member but does not perform normal search activities. correct
answers B
What happens to the indexer cluster when the indexer Cluster Master (CM) runs out of disk
space?
A. A warm standby CM needs to be brought online as soon as possible before an indexer has an
outage.
B. The indexer cluster will continue to operate as long as no indexers fail.
C. If the indexer cluster has site failover configured in the CM, the second cluster master will
take over.
D. The indexer cluster will continue to operate as long as a replacement CM is deployed within
24 hours. correct answers B
, (https://docs.splunk.com/Documentation/Splunk/8.2.1/Indexer/Whathappenswhenamanagernode
goesdown)
A working search head cluster has been set up and used for 6 months with just the native/local
Splunk user authentication method. In order to integrate the search heads with an external Active
Directory server using LDAP, which of the following statements represents the most appropriate
method to deploy the configuration to the servers?
A. Configure the integration in a base configuration app located in shcluster-apps directory on
the search head deployer, then deploy the configuration to the search heads using the splunk
apply shcluster-bundle command.
B. Log onto each search using a command line utility. Modify the authentication.conf and
authorize.conf files in a base configuration app to configure the integration.
C. Configure the LDAP integration on one Search Head using the Settings > Access Controls >
Authentication Method and Settings > Access Controls > Roles Splunk UI menus. The
configuration setting will correct answers A (best practice)
In an environment that has Indexer Clustering, the Monitoring Console (MC) provides
dashboards to monitor environment health. As the environment grows over time and new
indexers are added, which steps would ensure the MC is aware of the additional indexers?
A. No changes are necessary, the Monitoring Console has self-configuration capabilities.
B. Using the MC setup UI, review and apply the changes.
C. Remove and re-add the cluster master from the indexer clustering UI page to add new peers,
then apply the changes under the MC setup UI.
D. Each new indexer needs to be added using the distributed search UI, then settings must be
saved under the MC setup UI. correct answers B?
None of these
(pg 62, Core Notes)
A customer has 30 indexers in an indexer cluster configuration and two search heads. They are
working on writing SPL search for a particular use-case, but are concerned that it takes too long
to run for short time durations.How can the Search Job Inspector capabilities be used to help
validate and understand the customer concerns?
A. Search Job Inspector provides statistics to show how much time and the number of events
each indexer has processed.
B. Search Job Inspector provides a Search Health Check capability that provides an optimized
SPL query the customer should try instead.
C. Search Job Inspector cannot be used to help troubleshoot the slow performing search;
customer should review index=_introspection instead.
D. The customer is using the transaction SPL search command, which is known to be slow.
correct answers A
free Solutions.
How does Monitoring Console (MC) initially identify the server role(s) of a new Splunk
Instance?
A. The MC uses a REST endpoint to query the server.
B. Roles are manually assigned within the MC.
C. Roles are read from distsearch.conf.
D. The MC assigns all possible roles by default. correct answers A (Core slides pg. 67, initially
guesses using REST, then looks at distsearch.conf)
The universal forwarder (UF) should be used whenever possible, as it is smaller and more
efficient. In which of the following scenarios would a heavy forwarder (HF) be a more
appropriate choice?
A. When a predictable version of Python is required.
B. When filtering 10%-15% of incoming events.
C. When monitoring a log file.
D. When running a script. correct answers A ( Use the universal forwarder whenever possible, it
is smaller and more efficient. Only use a heavy forwarder when: • The UI is needed • Advanced
event-level routing is needed • You are filtering more than 80% of incoming events •
Anonymizing or masking data before forwarding to indexer • Predictable version of Python is
needed • Required by an app/modular input (HEC, DBX, Checkpoint OPSEC LEA)
When monitoring and forwarding events collected from a file containing unstructured textual
events, what is the difference in the Splunk2Splunk payload traffic sent between a universal
forwarder (UF) and indexer compared to the Splunk2Splunk payload sent between a heavy
forwarder (HF) and the indexer layer? (Assume that the file is being monitored locally on the
forwarder.)
A. The payload format sent from the UF versus the HF is exactly the same. The payload size is
identical because they're both sending 64K chunks.
B. The UF sends a stream of data containing one set of medata fields to represent the entire
stream, whereas the HF sends individual events, each with their own metadata fields attached,
resulting in a larger payload.
C. The UF will generally send the payload in the same format, but only when the sourcetype is
specified in the inputs.conf and EVENT_BREAKER_ENABLE is set to true.
D. The HF sends a stream correct answers B (HF adds data / parsing resulting in larger payload)
A non-ES customer has a concern about data availability during a disaster recovery event. Which
of the following Splunk Validated Architectures (SVAs) would be recommended for that use
case?
A. Topology Category Code: M4
,B. Topology Category Code: M14
C. Topology Category Code: C13
D. Topology Category Code: C3 correct answers A
Non-ES means it will not start with 10+
Data Availability means an indexer is always available
Disaster Recovery means it can tolerate a site outage
(pg 36 & 333, Core Notes)
Which event processing pipeline contains the regex replacement processor that would be called
upon to run event masking routines on events as they are ingested?
A. Merging pipeline
B. Indexing pipeline
C. Typing pipeline
D. Parsing pipeline correct answers C (https://wiki.splunk.com/Community:HowIndexingWorks)
Which statement is correct?
A. In general, search commands that can be distributed to the search peers should occur as early
as possible in a well-tuned search.
B. As a streaming command, streamstats performs better than stats since stats is just a reporting
command.
C. When trying to reduce a search result to unique elements, the dedup command is the only way
to achieve this.
D. Formatting commands such as fieldformat should occur as early as possible in the search to
take full advantage of the often larger number of search peers. correct answers A
In addition to the normal responsibilities of a search head cluster captain, which of the following
is a default behavior?
A. The captain is not a cluster member and does not perform normal search activities.
B. The captain is a cluster member who performs normal search activities.
C. The captain is not a cluster member but does perform normal search activities.
D. The captain is a cluster member but does not perform normal search activities. correct
answers B
What happens to the indexer cluster when the indexer Cluster Master (CM) runs out of disk
space?
A. A warm standby CM needs to be brought online as soon as possible before an indexer has an
outage.
B. The indexer cluster will continue to operate as long as no indexers fail.
C. If the indexer cluster has site failover configured in the CM, the second cluster master will
take over.
D. The indexer cluster will continue to operate as long as a replacement CM is deployed within
24 hours. correct answers B
, (https://docs.splunk.com/Documentation/Splunk/8.2.1/Indexer/Whathappenswhenamanagernode
goesdown)
A working search head cluster has been set up and used for 6 months with just the native/local
Splunk user authentication method. In order to integrate the search heads with an external Active
Directory server using LDAP, which of the following statements represents the most appropriate
method to deploy the configuration to the servers?
A. Configure the integration in a base configuration app located in shcluster-apps directory on
the search head deployer, then deploy the configuration to the search heads using the splunk
apply shcluster-bundle command.
B. Log onto each search using a command line utility. Modify the authentication.conf and
authorize.conf files in a base configuration app to configure the integration.
C. Configure the LDAP integration on one Search Head using the Settings > Access Controls >
Authentication Method and Settings > Access Controls > Roles Splunk UI menus. The
configuration setting will correct answers A (best practice)
In an environment that has Indexer Clustering, the Monitoring Console (MC) provides
dashboards to monitor environment health. As the environment grows over time and new
indexers are added, which steps would ensure the MC is aware of the additional indexers?
A. No changes are necessary, the Monitoring Console has self-configuration capabilities.
B. Using the MC setup UI, review and apply the changes.
C. Remove and re-add the cluster master from the indexer clustering UI page to add new peers,
then apply the changes under the MC setup UI.
D. Each new indexer needs to be added using the distributed search UI, then settings must be
saved under the MC setup UI. correct answers B?
None of these
(pg 62, Core Notes)
A customer has 30 indexers in an indexer cluster configuration and two search heads. They are
working on writing SPL search for a particular use-case, but are concerned that it takes too long
to run for short time durations.How can the Search Job Inspector capabilities be used to help
validate and understand the customer concerns?
A. Search Job Inspector provides statistics to show how much time and the number of events
each indexer has processed.
B. Search Job Inspector provides a Search Health Check capability that provides an optimized
SPL query the customer should try instead.
C. Search Job Inspector cannot be used to help troubleshoot the slow performing search;
customer should review index=_introspection instead.
D. The customer is using the transaction SPL search command, which is known to be slow.
correct answers A
