Splunk Admin questions with answers 2023

_introspection index tracks system performance and Splunk resource usage data. True or False. - True. A deployment app can have config files, scripts and other resources, but it must follow normal app structure and include what two files? - & A deployment client can belong to multiple server classes. True or False. - True. A monitor input can only be used for specific files and not directories. True or False. - False. Splunk recursively traverses through the directory structure and indexes all discovered text files when a directory is specified. A quarantined search peer is prevented from performing new searches but continues to attempt to service any currently running search. True or False. - True A user with 'edit_roles' and 'edit_user' capabilities can promote themselves to full admin role. True or False. - True After a file monitor is set up and is running, if you decide to change the host value, will new host value be reflected for the old data that has already been ingested? - No. All changes apply to the new data only. To reflect changes for your old data, you may need to delete and re-ingest the old data. After running 'splunk add forward-server <IP:port>', the forwarder should be communicating with the indexer. Which of the following commands can be used to verify successful connection? a) Search 'index=_internal host=forwarder_hostname' b) In CLI on indexer, run 'splunk display listen' c) In CLI on forwarder, run 'splunk list forward-server' - All An event index cannot be converted into a metrics index (or vice-versa). True or False. - True. An internal setting for scripted inputs can be specified in cron syntax. True or False. - True. You can specify the interval in either number of seconds or cron syntax. btool shows on-disk configuration for requested file. True or False. - True Changes made by editing .conf files are automatically detected. True or False. - False. Refreshing will force reload some configs, but reloading all configs requires a restart. Company A has a 600 GB license separated into 3 pools of 200 GB each. One department goes over the 200 GB limit on their pool by 25 GB, but the other 2 pools are only using 150 GB each. Since Company A hasn't gone over their full 600 GB, they will not get an alert. True or False. - False. Warnings and violations occur per pool. Data can be sent in json or any raw data format to the event collector. True or False. - True. Default will always take precedence over local configs. True or False. - False. Event boundaries can be defined using at the UF. True or False. - True. Event Collector can be set up on a UF. True or False. - False. Event collector can be set up on an Indexer or HF. Frozen buckets roll to thawed automatically. True or False. - False. To thaw a frozen bucket, you have to start by copying the bucket directory from the frozen directory to the thaweddb directory. How long is the Splunk Enterprise trial license valid for before one of the other 3 license types must be activated? a) 30 days b) 60 days c) 90 days d) Indefinitely, as long as you stay under 500mb per day limit - b) 60 days How many simultaneous searches (ad hoc or scheduled) can one dedicated search head handle? a) 5 - 7 b) 8 - 12 c) 15 - 20 d) 20 - 25 - b) 8 - 12 [Exact numbers depend on the types of searches and the hardware--especially # of CPU cores] If a knowledge object is shared globally, then the file in the metadata folder is updated with a stanza for the KO including the setting 'export = system'. True or False. - True If a user creates and shares a macro at the app level, then: a) It is moved to the user's local search folder. b) It remains in the user's local app folder, but others can now access it. c) It is moved to the default search folder. d) It is moved to the local search folder. - d) It is moved to the local search folder. If the forwarder is set to send its data to 2 indexers at 30 sec intervals, does it switch exactly at the 30th second? - Not always. The forwarder does not want to send half an event to indexer1 and the other half to indexer2. To avoid this, if the forwarder is tailing a file, then it waits for an EOF or a pause in IO before it switches. If the indexing exceeds the daily license quota in a pool, your license will go into a violation. True or False. - False. If the indexing exceeds the daily quota in a pool, an alert is raised. If it is not fixed by midnight, then the alert turns into a warning. 5 or more warnings on an enforced Enterprise license or 3 warnings on a Free license, in a rolling 30-day period, is a violation. If you are installing a Search Head and an Indexer, Splunk requires an admin account on each instance. True or False. - True If you want a role that is "like" user but with some capabilities turned off, you can create a new role that inherits from the user role and remove some of the capabilities. True or False. - False. You will have to create a new role that does NOT inherit from the user role, turn on all of the same capabilities as in user role, except those you want turned off. In a distributed environment, indexer peers run searches in parallel and return their portion of results to the search head which consolidates the results and prepares the reports. True or False. - True In an environment with a UF, Indexer and SH, where is the _fishbucket index located? - Each instance will have its own local _fishbucket index. In the case of a file monitor whitelist and blacklist, the whitelist prevails. True or False. - False. In the following sedcmd, what do <A>,<B>,<C> and <D> refer to? SEDCMD-example = /s<A>/<B><C>/<D> - <A> is the string to match <B> is the replacement string <C> optional capture group from original string to keep <D> flags: either the letter g to replace all matches, or a number to replace a specified match. In the file example below, what is itops? [mysrctype] TRANSFORMS-itops = route_errs_warns - It is the namespace and is used to determine the sequence. Indexes specified in the user's role are what is searched if the user does not specify an index when running an SPL search. True or False. - True Is it possible to use the host value and not the DNS name or IP address for a TCP input? How? - Yes. Under the stanza in set the 'connection_host' to none and specify the host value. It is best practice for the deployment server to be a dedicated Splunk instance. True or False. - True.