Splunk Core User EXAM COMPLETE QUESTIONS AND CORRECT DETAILED ANSWERS (VERIFIED ANSWERS) |ALREADY GRADED A+

Splunk Core User EXAM COMPLETE QUESTIONS AND CORRECT DETAILED ANSWERS (VERIFIED ANSWERS) |ALREADY GRADED A+ What is Splunk? - Answer- Aggregate, analyze and get answers from your machine data What Data? - Answer- Index any data from any source 3 main components of Splunk - Answer- Search head, indexer, forwarder How is Splunk deployed? - Answer- Splunk Enterprise, Splunk Cloud, Splunk Light Splunk Enterprise - Answer- installed and administered on prem Splunk Cloud - Answer- Splunk Ent as a scalable service, no infrastructure required What are splunk Apps? (4) - Answer- -Designed to address a wide variety of use cases and extend the power of splunk -Collections of files containing data inputs, UI elements, and/or knowledge objects -Allows for multiple workspaces for different use cases/user roles to co-exist on a single deployment -1000+ ready-made apps available on or admins build their own Splunk Enhanced solutions? (3) - Answer- ITSI, ES, UBA How many roles are there is Splunk? - Answer- 3 - User, Power, Admin What is the search and reporting app? (3) - Answer- -provides a default interface for searching and analyzing data -enables you to create knowledge objects, reports, dashboards -access by selecting the Search and Reporting button on the home app or from app view.. select Apps>Search&Reporting Data Summary? - Answer- Host, Source, Sourcetypes Host - Answer- Unique identifier of where the events originated (host name, IP Address) Source - Answer- Name of file, stream or other input Sourcetype - Answer- Specific data type or data format Indexer - Answer- Processes machine data, storing the results in indexes as events, enabling fast search and analysis What happens as the indexer indexes data? - Answer- It creates a number of files organized into sets of directories by age What does the indexer contain? - Answer- raw (compressed) data, indexes(points to raw data) Search head (5) - Answer- -Allows users to use the Splunk search language to search the index data. -Distribute requests to the indexers which perform the actual searches on the data. Search heads -Consolidate the results and extracts field value pairs from the events to the user -Knowledge objects on the search heads can be created to extract additional fields and transform the data without changing the underlying index data -Provide tools to enhance the search experience such as reports, dashboards, and visualizations Forwarders (4) - Answer- -Consume and send data to the index -Require minimal resources and have little impact on performance -Usually resides on machine where data originates -Primary way data is supplied for indexing Less common Splunk Components - Answer- Deployment Server, Cluster Master, License Master Types of Deployments (3) - Answer- -Standalone-Single Server -Basic-Splunk Server -Multi-Instance Standalone-Single Server (deployment) - Answer- 1 instance, for testing, POC, personal use and learning. Default settings Basic-Splunk Server (deployment) - Answer- Manage the deployment of forwarder configurations Where are forwarders installed on a basic deployment? - Answer- At the data source (usually production servers) Basic Deployment Requirements (3) - Answer- -less than 20GB -Less than 20 users -small amount of forwarders Multi Instance (deployment) (2) - Answer- -Increases indexing and searching capacity -Search management and index functions are split across multiple machines Requirements for Multi Instance deployment (3) - Answer- -Up to 100 GB per day -Supports 100 users -Several hundred forwarders Search Head Cluster (3) - Answer- -Services more users for increased search capacity -Allows users and searches to share resources -Coordinate activities to handle search requests and distribute the requests across the set of indexers Search Head Clusters require a minimum of ______ Search Heads - Answer- 3 What is used to manage and distribute apps to the members of the Search Head Cluster? - Answer- A Deployer Index Cluster (4) - Answer- -Configured to replicate data -Prevent Data Loss -Promote availability -Manage multiple indexes Non-replicating Index Clusters (2) - Answer- -Simplified Management -Do not provide availability or data recovery How many phases are in the Splunk Index Time Process (data ingestion)? - Answer- 3 - Input, Parsing, Indexing Input Phase (3) - Answer- -Handled at the source(usually a forwarder) -Data sources are being open and read -Data is handled as streams and any configuration settings are applied to the entire steam Parsing Phase (2) - Answer- -Handled by Indexers or Heavy Forwarders -Data is broken up into events and advanced processing can be performed Indexing Phase - Answer- -License meter runs as the data and is initially written to disk, prior to compression -After data is written to disk, it cannot be changed Data Input Types (5) - Answer- -Files and Directories -Network data -Script output -Windows Logs -HTTP Files and directories (Data Input Type) - Answer- Monitoring text files and/or directory structures containing text files Network Data (Data Input Type) - Answer- Listening on a port of network data Script Output (Data Input Type) - Answer- Executing a script and use the output from the script as an input WIndows Logs (Data Input Type) - Answer- Monitoring Windows event logs, AD, etc HTTP (Data Input Type) - Answer- Using the HTTP event collector You can also add data inputs through: (4) - Answer- -Apps/addons from splunkbase -Splunk Web -CLI -I When you index a data source, Splunk assigns ________________ - Answer- Metadata values (source, host, sourcetype, index) (T/F) Add data - Upload option creates - Answer- False How many times do local files get indexed under the Add data - Upload option? - Answer- Once (T/F) The Add Data - Monitor Option provides one-time and continuous monitoring? - Answer- True What is the main source of input for production environments? - Answer- Forwarders / Forward Option In the Add Data - Forward Option, remote machines gather and forward data to _________________ - Answer- Indexers over a receiving port (T/F) Splunk automatically determines the source type for major data types when there is enough data? - Answer- True Can you create a new source type name for a specific source? - Answer- Yes What is the search assistant? - Answer- Provides selections for how to create a search string (T/F) Search Assistance is enabled by default in the SPL editor user preferences. - Answer- True