SPLUNK ENTERPRISE CERTIFIED
ADMIN EXAM
Splunk Components - Correct Answers -Forwarder (Universal and Heavy)
Indexer
Search Head
Deployment Server
What are the two types of Splunk Forwarders? - Correct Answers -Universal Forwarder
- Forwards raw data, faster and uses less Host resources. Results in large amounts of
data being indexed.
Heavy Forwarder - Parses and Indexes the source using more host resources. Sends
only the parsed events to the indexer.
What is a Indexer? - Correct Answers -A Splunk Enterprise instance that indexes data.
Transforms raw data into events. Places results into an index. Searches indexed data in
response to search requests.
An indexer may also perform other components functions: data input and search
management.
What is a Search Head? - Correct Answers -A Splunk Enterprise instance that handles
search managment
Directs search requests to search peers (indexer) then merging results to the user. A
search head separate to a search peer is called a dedicated search head.
What is a Deployment Server? - Correct Answers -A Splunk Enterprise instance that
distributes configs, apps and content updates ("deployment apps") to groups of Splunk
Enterprise instances called "deployment clients".
Component Functions - Indexing - Correct Answers -Indexer
Component Functions - Web - Correct Answers -Search Head
Component Functions - Direct Search - Correct Answers -Search Head
Component Functions - Forward to Indexer - Correct Answers -Forwarder
, Component Functions - Deploy configurations - Correct Answers -Indexer, Forwarder,
Deployment Server
App directory names and Precedence - Correct Answers -In Global Context -
Directories are prioritised Lexicographical order
In App/User Context - Directories are prioritised in Reverse Lexicographical order
btool - command to review merged settings for a conf file - Correct Answers -splunk
btool inputs list
btool - review merged settings for a conf file in app context - Correct Answers -splunk
btool --app=<app_name> inputs list
btool - review conf file settings and see where they are merged from - Correct Answers -
splunk btool inputs list --debug
What Instances can serve the license manager? - Correct Answers -Monitoring Console
Deployment Server
Indexer Cluster Manager Node
Search Head Cluster Deployer
Search Head
Indexer
(not typically run on a dedicated Splunk instance)
What are the Splunk Enterprise License types? - Correct Answers -Commercial
Volume-Based License
Infrastructure License
Developer
Dev/Test License
Developer License
Build Partner License
Other
Trial
Free
Pre-release
Describe the Commercial License types - Correct Answers -Volume-based:
less than 100gb of data per day or 100gb or more gbs of data per day.
all Enterprise features.
single instance & distributed installations.
can be stacked and assigned to license pools.
can't stack w/ infrastructure.
blocks search if stack is less than 100GB data and there are several license warnings.
ADMIN EXAM
Splunk Components - Correct Answers -Forwarder (Universal and Heavy)
Indexer
Search Head
Deployment Server
What are the two types of Splunk Forwarders? - Correct Answers -Universal Forwarder
- Forwards raw data, faster and uses less Host resources. Results in large amounts of
data being indexed.
Heavy Forwarder - Parses and Indexes the source using more host resources. Sends
only the parsed events to the indexer.
What is a Indexer? - Correct Answers -A Splunk Enterprise instance that indexes data.
Transforms raw data into events. Places results into an index. Searches indexed data in
response to search requests.
An indexer may also perform other components functions: data input and search
management.
What is a Search Head? - Correct Answers -A Splunk Enterprise instance that handles
search managment
Directs search requests to search peers (indexer) then merging results to the user. A
search head separate to a search peer is called a dedicated search head.
What is a Deployment Server? - Correct Answers -A Splunk Enterprise instance that
distributes configs, apps and content updates ("deployment apps") to groups of Splunk
Enterprise instances called "deployment clients".
Component Functions - Indexing - Correct Answers -Indexer
Component Functions - Web - Correct Answers -Search Head
Component Functions - Direct Search - Correct Answers -Search Head
Component Functions - Forward to Indexer - Correct Answers -Forwarder
, Component Functions - Deploy configurations - Correct Answers -Indexer, Forwarder,
Deployment Server
App directory names and Precedence - Correct Answers -In Global Context -
Directories are prioritised Lexicographical order
In App/User Context - Directories are prioritised in Reverse Lexicographical order
btool - command to review merged settings for a conf file - Correct Answers -splunk
btool inputs list
btool - review merged settings for a conf file in app context - Correct Answers -splunk
btool --app=<app_name> inputs list
btool - review conf file settings and see where they are merged from - Correct Answers -
splunk btool inputs list --debug
What Instances can serve the license manager? - Correct Answers -Monitoring Console
Deployment Server
Indexer Cluster Manager Node
Search Head Cluster Deployer
Search Head
Indexer
(not typically run on a dedicated Splunk instance)
What are the Splunk Enterprise License types? - Correct Answers -Commercial
Volume-Based License
Infrastructure License
Developer
Dev/Test License
Developer License
Build Partner License
Other
Trial
Free
Pre-release
Describe the Commercial License types - Correct Answers -Volume-based:
less than 100gb of data per day or 100gb or more gbs of data per day.
all Enterprise features.
single instance & distributed installations.
can be stacked and assigned to license pools.
can't stack w/ infrastructure.
blocks search if stack is less than 100GB data and there are several license warnings.
