Special Flat 65% Limited Time Discount offer - Ends in 0d 00h 00m 00s - Coupon code: suredis

Splunk SPLK-3003 Splunk Core Certified Consultant Exam Practice Test

Demo: 12 questions
Total 85 questions

Splunk Core Certified Consultant Questions and Answers

Question 1

The data in Splunk is now subject to auditing and compliance controls. A customer would like to ensure that at least one year of logs are retained for both Windows and Firewall events. What data retention controls must be configured?

Options:

A.

maxTotalDataSizeMB and frozenTimePeriodInSecs

B.

coldToFrozenDir and coldToFrozenScript

C.

Splunk Volume and maxTotalDataSizMB

D.

Splunk Volume and frozenTimePeriodInSecs

Question 2

A customer has implemented their own Role Based Access Control (RBAC) model to attempt to give the Security team different data access than the Operations team by creating two new Splunk roles – security and operations. In the srchIndexesAllowed setting of authorize.conf, they specified the network index

under the security role and the operations index under the operations role. The new roles are set up to inherit the default user role.

If a new user is created and assigned to the operations role only, which indexes will the user have access to search?

Options:

A.

operations, network, _internal, _audit

B.

operations

C.

No Indexes

D.

operations, network

Question 3

Consider the search shown below.

What is this search’s intended function?

Options:

A.

To return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index.

B.

To find all the denied, high severity events in the firewall index, and use those events to further search for lateral movement within the web index.

C.

To return all the web_log events from the web index that occur two hours before and after all high severity, denied events found in the firewall index.

D.

To search the firewall index for web logs that have been denied and are of high severity.

Question 4

Where are Splunk Data Model Acceleration (DMA) summaries stored?

Options:

A.

In tstatsHomePath

B.

In the .tsidx files.

C.

In summaryHomePath

D.

In journal.gz

Question 5

A customer is having issues with truncated events greater than 64K. What configuration should be deployed to a universal forwarder (UF) to fix the issue?

Options:

A.

None. Splunk default configurations will process the events as needed; the UF is not causing truncation.

B.

Configure the best practice magic 6 or great 8 props.conf settings.

C.

EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings per sourcetype.

D.

Global EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings.

Question 6

A customer has 30 indexers in an indexer cluster configuration and two search heads. They are working on writing SPL search for a particular use-case, but are concerned that it takes too long to run for short time durations.

How can the Search Job Inspector capabilities be used to help validate and understand the customer concerns?

Options:

A.

Search Job Inspector provides statistics to show how much time and the number of events each indexer has processed.

B.

Search Job Inspector provides a Search Health Check capability that provides an optimized SPL query the customer should try instead.

C.

Search Job Inspector cannot be used to help troubleshoot the slow performing search; customer should review index=_introspection instead.

D.

The customer is using the transaction SPL search command, which is known to be slow.

Question 7

In a single indexer cluster, where should the Monitoring Console (MC) be installed?

Options:

A.

Deployer sharing with master cluster.

B.

License master that has 50 clients or more.

C.

Cluster master node

D.

Production Search Head

Question 8

A customer has downloaded the Splunk App for AWS from Splunkbase and installed it in a search head cluster following the instructions using the deployer. A power user modifies a dashboard in the app on one of the search head cluster members. The app containing an updated dashboard is upgraded to the latest version by following the instructions via the deployer.

What happens?

Options:

A.

The updated dashboard will not be deployed globally to all users, due to the conflict with the power user’s modified version of the dashboard.

B.

Applying the search head cluster bundle will fail due to the conflict.

C.

The updated dashboard will be available to the power user.

D.

The updated dashboard will not be available to the power user; they will see their modified version.

Question 9

Consider the scenario where the /var/log directory contains the files secure, messages, cron, audit. A customer has created the following inputs.conf stanzas in the same Splunk app in order to attempt to monitor the files secure and messages:

Which file(s) will actually be actively monitored?

Options:

A.

/var/log/secure

B.

/var/log/messages

C.

/var/log/messages, /var/log/cron, /var/log/audit, /var/log/secure

D.

/var/log/secure, /var/log/messages

Question 10

A customer has a number of inefficient regex replacement transforms being applied. When under heavy load the indexers are struggling to maintain the expected indexing rate. In a worst case scenario, which queue(s) would be expected to fill up?

Options:

A.

Typing, merging, parsing, input

B.

Parsing

C.

Typing

D.

Indexing, typing, merging, parsing, input

Question 11

What is the primary driver behind implementing indexer clustering in a customer’s environment?

Options:

A.

To improve resiliency as the search load increases.

B.

To reduce indexing latency.

C.

To scale out a Splunk environment to offer higher performance capability.

D.

To provide higher availability for buckets of data.

Question 12

Where does the bloomfilter reside?

Options:

A.

$SPLUNK_HOME/var/lib/splunk/indexfoo/db/db_1553504858_1553504507_8

B.

$SPLUNK_HOME/var/lib/splunk/indexfoo/db/db_1553504858_1553504507_8/*.tsidx

C.

$SPLUNK_HOME/var/lib/splunk/fishbucket

D.

$SPLUNK_HOME/var/lib/splunk/indexfoo/db/db_1553504858_1553504507_8/rawdata

Demo: 12 questions
Total 85 questions