March Sale Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70percent

Splunk SPLK-3003 Splunk Core Certified Consultant Exam Practice Test

Demo: 12 questions
Total 85 questions

Splunk Core Certified Consultant Questions and Answers

Question 1

A [script://] input sends data to a Splunk forwarder using which method?

Options:

A.

UDP stream

B.

TCP stream

C.

Temporary file

D.

STDOUT/STDERR

Question 2

What happens when an index cluster peer freezes a bucket?

Options:

A.

All indexers with a copy of the bucket will delete it.

B.

The cluster master will ensure another copy of the bucket is made on the other peers to meet the replication settings.

C.

The cluster master will no longer perform fix-up activities for the bucket.

D.

All indexers with a copy of the bucket will immediately roll it to frozen.

Question 3

The customer has an indexer cluster supporting a wide variety of search needs, including scheduled search, data model acceleration, and summary indexing. Here is an excerpt from the cluster mater’s server.conf:

Which strategy represents the minimum and least disruptive change necessary to protect the searchability of the indexer cluster in case of indexer failure?

Options:

A.

Enable maintenance mode on the CM to prevent excessive fix-up and bring the failed indexer back online.

B.

Leave replication_factor=2, increase search_factor=2 and enable summary_replication.

C.

Convert the cluster to multi-site and modify the server.conf to be site_replication_factor=2, site_search_factor=2.

D.

Increase replication_factor=3, search_factor=2 to protect the data, and allow there to always be a searchable copy.

Question 4

A customer wants to understand how Splunk bucket types (hot, warm, cold) impact search performance within their environment. Their indexers have a single storage device for all data. What is the proper message to communicate to the customer?

Options:

A.

The bucket types (hot, warm, or cold) have the same search performance characteristics within the customer’s environment.

B.

While hot, warm, and cold buckets have the same search performance characteristics within the customers environment, due to their optimized structure, the thawed buckets are the most performant.

C.

Searching hot and warm buckets result in best performance because by default the cold buckets are miniaturized by removing TSIDX files to save on storage cost.

D.

Because the cold buckets are written to a cheaper/slower storage volume, they will be slower to search compared to hot and warm buckets which are written to Solid State Disk (SSD).

Question 5

A customer is using both internal Splunk authentication and LDAP for user management.

If a username exists in both $SPLUNK_HOME/etc/passwd and LDAP, which of the following statements is accurate?

Options:

A.

The internal Splunk authentication will take precedence.

B.

Authentication will only succeed if the password is the same in both systems.

C.

The LDAP user account will take precedence.

D.

Splunk will error as it does not support overlapping usernames

Question 6

A working search head cluster has been set up and used for 6 months with just the native/local Splunk user authentication method. In order to integrate the search heads with an external Active Directory server using LDAP, which of the following statements represents the most appropriate method to deploy the configuration to the servers?

Options:

A.

Configure the integration in a base configuration app located in shcluster-apps directory on the search head deployer, then deploy the configuration to the search heads using the splunk apply shcluster- bundle command.

B.

Log onto each search using a command line utility. Modify the authentication.conf and

authorize.conf files in a base configuration app to configure the integration.

C.

Configure the LDAP integration on one Search Head using the Settings > Access Controls > Authentication Method and Settings > Access Controls > Roles Splunk UI menus. The configuration setting will replicate to the other nodes in the search head cluster eliminating the need to do this on the other search heads.

D.

On each search head, login and configure the LDAP integration using the Settings > Access Controls > Authentication Method and Settings > Access Controls > Roles Splunk UI menus.

Question 7

A customer has written the following search:

How can the search be rewritten to maximize efficiency?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Question 8

In which of the following scenarios should base configurations be used to provide consistent, repeatable, and supportable configurations?

Options:

A.

For non-production environments to keep their configurations in sync.

B.

To ensure every customer has exactly the same base settings.

C.

To provide settings that do not need to be customized to meet customer requirements.

D.

To provide settings that can be customized to meet customer requirements.

Question 9

A customer would like to remove the output_file capability from users with the default user role to stop them from filling up the disk on the search head with lookup files. What is the best way to remove this capability from users?

Options:

A.

Create a new role without the output_file capability that inherits the default user role and assign it to the users.

B.

Create a new role with the output_file capability that inherits the default user role and assign it to the users.

C.

Edit the default user role and remove the output_file capability.

D.

Clone the default user role, remove the output_file capability, and assign it to the users.

Question 10

When adding a new search head to a search head cluster (SHC), which of the following scenarios occurs?

Options:

A.

The new search head connects to the captain and replays any recent configuration changes to bring it up to date.

B.

The new search head connects to the deployer and replays any recent configuration changes to bring it up to date.

C.

The new search head connects to the captain and pulls the most recently deployed bundle. It then connects to the deployer and replays any recent configuration changes to bring it up to date.

D.

The new search head connects to the deployer and pulls the most recently deployed bundle. It then connects to the captain and replays any recent configuration changes to bring it up to date.

Question 11

A Splunk Index cluster is being installed and the indexers need to be configured with a license master. After the customer provides the name of the license master, what is the next step?

Options:

A.

Enter the license master configuration via Splunk web on each indexer before disabling Splunk web.

B.

Update /opt/splunk/etc/master-apps/_cluster/default/server.conf on the cluster master and apply a cluster bundle.

C.

Update the Splunk PS base config license app and copy to each indexer.

D.

Update the Splunk PS base config license app and deploy via the cluster master.

Question 12

A new search head cluster is being implemented. Which is the correct command to initialize the deployer node without restarting the search head cluster peers?

Options:

A.

$SPLUNK_HOME/bin/splunk apply shcluster-bundle

B.

$SPLUNK_HOME/bin/splunk apply cluster-bundle

C.

$SPLUNK_HOME/bin/splunk apply shcluster-bundle –action stage

D.

$SPLUNK_HOME/bin/splunk apply cluster-bundle –action stage

Demo: 12 questions
Total 85 questions