SPLUNK ENTERPRISE CERTIFIED
ADMIN EXAM
Which setting in indexes.conf allows data retention to be controlled by time?
A. maxDaysToKeep
B. moveToFrozenAfter
C. maxDataRetentionTime
D. frozenTimePeriodInSecs - Correct Answers -frozenTimePeriodInSecs
The universal forwarder has which capabilities when sending data? (Choose all that
apply.)
A. Sending alerts
B. Compressing data
C. Obfuscating/hiding data
D. Indexer acknowledgement - Correct Answers -Compressing data
Indexer acknowledgement
In case of a conflict between a whitelist and a blacklist input setting, which one is used?
A. Blacklist
B. Whitelist
C. They cancel each other out.
D. Whichever is entered into the configuration first. - Correct Answers -Blacklist
In which Splunk configuration is the SEDCMD used?
A. props.conf
B. inputs.conf
C. indexes.conf
D. transforms.conf - Correct Answers -props.conf
Which of the following are supported configuration methods to add inputs on a
forwarder? (Choose all that apply.)
A. CLI
B. Edit inputs.conf
C. Edit forwarder.conf
,D. Forwarder Management - Correct Answers -CLI
Edit inputs.conf
Which parent directory contains the configuration files in Splunk?
A. $SPLUNK_HOME/etc
B. $SPLUNK_HOME/var
C. $SPLUNK_HOME/conf
D. $SPLUNK_HOME/default - Correct Answers -$SPLUNK_HOME/etc
Which forwarder type can parse data prior to forwarding?
A. Universal forwarder
B. Heaviest forwarder
C. Hyper forwarder
D. Heavy forwarder - Correct Answers -Heavy forwarder
Which Splunk component consolidates the individual results and prepares reports in a
distributed environment?
A. Indexers
B. Forwarder
C. Search head
D. Search peers - Correct Answers -Search head
Which Splunk component distributes apps and certain other configuration updates to
search head cluster members?
A. Deployer
B. Cluster master
C. Deployment server
D. Search head cluster master - Correct Answers -Deployer
Where should apps be located on the deployment server that the clients pull from?
A. $SPLUNK_HOME/etc/apps
B. $SPLUNK_HOME/etc/search
C. $SPLUNK_HOME/etc/master-apps
D. $SPLUNK_HOME/etc/deployment-apps - Correct Answers
-$SPLUNK_HOME/etc/deployment-apps
This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf
[monitor:///var/log/messages]
sourcetype=syslog
index=syslog
, A new Splunk admin comes in and connects the universal forwarders to a deployment
server and deploys the same app with a new inputs.conf file:
/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
[monitor:///var/log/maillog]
sourcetype=maillog
index=syslog
Which file is now monitored?
A. /var/log/messages
B. /var/log/maillog
C. /var/log/maillog and /var/log/messages
D. none of the above - Correct Answers -/var/log/maillog
In which phase of the index time process does the license metering occur?
A. Input phase
B. Parsing phase
C. Indexing phase
D. Licensing phase - Correct Answers -Indexing phase
You update a props.conf file while Splunk is running. You do not restart Splunk and you
run this command: splunk btool props list `"-debug. What will the output be?
A. A list of all the configurations on-disk that Splunk contains.
B. A verbose list of all configurations as they were when splunkd started.
C. A list of props.conf configurations as they are on-disk along with a file path from
which the configuration is located.
D. A list of the current running props.conf configurations along with a file path from
which the configuration was made. - Correct Answers -A list of props.conf configurations
as they are on-disk along with a file path from which the configuration is located.
When running the command shown below, what is the default path in which
deploymentserver.conf is created? splunk set deploy-poll deployServer:port
A. SPLUNK_HOME/etc/deployment
B. SPLUNK_HOME/etc/system/local
C. SPLUNK_HOME/etc/system/default
D. SPLUNK_HOME/etc/apps/deployment - Correct Answers
-SPLUNK_HOME/etc/system/local
The priority of layered Splunk configuration files depends on the file's:
A. Owner
B. Weight
C. Context
D. Creation time - Correct Answers -Context
ADMIN EXAM
Which setting in indexes.conf allows data retention to be controlled by time?
A. maxDaysToKeep
B. moveToFrozenAfter
C. maxDataRetentionTime
D. frozenTimePeriodInSecs - Correct Answers -frozenTimePeriodInSecs
The universal forwarder has which capabilities when sending data? (Choose all that
apply.)
A. Sending alerts
B. Compressing data
C. Obfuscating/hiding data
D. Indexer acknowledgement - Correct Answers -Compressing data
Indexer acknowledgement
In case of a conflict between a whitelist and a blacklist input setting, which one is used?
A. Blacklist
B. Whitelist
C. They cancel each other out.
D. Whichever is entered into the configuration first. - Correct Answers -Blacklist
In which Splunk configuration is the SEDCMD used?
A. props.conf
B. inputs.conf
C. indexes.conf
D. transforms.conf - Correct Answers -props.conf
Which of the following are supported configuration methods to add inputs on a
forwarder? (Choose all that apply.)
A. CLI
B. Edit inputs.conf
C. Edit forwarder.conf
,D. Forwarder Management - Correct Answers -CLI
Edit inputs.conf
Which parent directory contains the configuration files in Splunk?
A. $SPLUNK_HOME/etc
B. $SPLUNK_HOME/var
C. $SPLUNK_HOME/conf
D. $SPLUNK_HOME/default - Correct Answers -$SPLUNK_HOME/etc
Which forwarder type can parse data prior to forwarding?
A. Universal forwarder
B. Heaviest forwarder
C. Hyper forwarder
D. Heavy forwarder - Correct Answers -Heavy forwarder
Which Splunk component consolidates the individual results and prepares reports in a
distributed environment?
A. Indexers
B. Forwarder
C. Search head
D. Search peers - Correct Answers -Search head
Which Splunk component distributes apps and certain other configuration updates to
search head cluster members?
A. Deployer
B. Cluster master
C. Deployment server
D. Search head cluster master - Correct Answers -Deployer
Where should apps be located on the deployment server that the clients pull from?
A. $SPLUNK_HOME/etc/apps
B. $SPLUNK_HOME/etc/search
C. $SPLUNK_HOME/etc/master-apps
D. $SPLUNK_HOME/etc/deployment-apps - Correct Answers
-$SPLUNK_HOME/etc/deployment-apps
This file has been manually created on a universal forwarder:
/opt/splunkforwarder/etc/apps/my_TA/local/inputs.conf
[monitor:///var/log/messages]
sourcetype=syslog
index=syslog
, A new Splunk admin comes in and connects the universal forwarders to a deployment
server and deploys the same app with a new inputs.conf file:
/opt/splunk/etc/deployment-apps/my_TA/local/inputs.conf
[monitor:///var/log/maillog]
sourcetype=maillog
index=syslog
Which file is now monitored?
A. /var/log/messages
B. /var/log/maillog
C. /var/log/maillog and /var/log/messages
D. none of the above - Correct Answers -/var/log/maillog
In which phase of the index time process does the license metering occur?
A. Input phase
B. Parsing phase
C. Indexing phase
D. Licensing phase - Correct Answers -Indexing phase
You update a props.conf file while Splunk is running. You do not restart Splunk and you
run this command: splunk btool props list `"-debug. What will the output be?
A. A list of all the configurations on-disk that Splunk contains.
B. A verbose list of all configurations as they were when splunkd started.
C. A list of props.conf configurations as they are on-disk along with a file path from
which the configuration is located.
D. A list of the current running props.conf configurations along with a file path from
which the configuration was made. - Correct Answers -A list of props.conf configurations
as they are on-disk along with a file path from which the configuration is located.
When running the command shown below, what is the default path in which
deploymentserver.conf is created? splunk set deploy-poll deployServer:port
A. SPLUNK_HOME/etc/deployment
B. SPLUNK_HOME/etc/system/local
C. SPLUNK_HOME/etc/system/default
D. SPLUNK_HOME/etc/apps/deployment - Correct Answers
-SPLUNK_HOME/etc/system/local
The priority of layered Splunk configuration files depends on the file's:
A. Owner
B. Weight
C. Context
D. Creation time - Correct Answers -Context
