Splunk SPLK-3003 시험

Question No : 1

Data can be onboarded using apps, Splunk Web, or the CLI.
Which is the PS preferred method?

• A.Create UDP input port 9997 on a U
• B.Use the add data wizard in Splunk Web.
• C.Use the inputs.conffile.
• D.Use a scripted input to monitor a log file.

답을 확인하기

정답:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.1.0/Data/Howdoyouwanttoadddata

Question No : 2

In which of the following scenarios should base configurations be used to provide consistent, repeatable, and supportable configurations?

• A.For non-production environments to keep their configurations in sync.
• B.To ensure every customer has exactly the same base settings.
• C.To provide settings that do not need to be customized to meet customer requirements.
• D.To provide settings that can be customized to meet customer requirements.

답을 확인하기

정답:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/latest/Admin/Wheretofindtheconfigurationfiles

Question No : 3

How could a role in which all users must specify an index=clausein all searches be configured?

• A.Set the authorize.confsetting: srchIndexesDefaultto no value.
• B.Set the authorize.confsetting: srchFilterto no value.
• C.Set the authorize.confsetting: srchIndexesAllowedto no value.
• D.Set the authorize.confsetting: srchJobsQuotato no value.

답을 확인하기

정답:

Question No : 4

A customer has written the following search:



How can the search be rewritten to maximize efficiency?
A)



B)



C)



D)

• A.Option A
• B.Option B
• C.Option C
• D.Option D

답을 확인하기

정답:

Question No : 5

Consider the scenario where the /var/log directory contains the files secure, messages, cron,audit.
A customer has created the following inputs.confstanzas in the same Splunk app in order to attempt to monitor the files secure and messages:



Which file(s) will actually be actively monitored?

• A./var/log/secure
• B./var/log/messages
• C./var/log/messages, /var/log/cron, /var/log/audit, /var/log/secure
• D./var/log/secure, /var/log/messages

답을 확인하기

정답:

Question No : 6

Remove old peers from the CM’s list.

답을 확인하기

정답: C

Question No : 7

A customer has a Universal Forwarder (UF) with an inputs.confmonitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?

• A.Indexer
• B.Universal forwarder
• C.Search head
• D.Heavy forwarder

답을 확인하기

정답:
Explanation:
Reference: https://www.learnsplunk.com/splunk-interview-questions.html

Question No : 8

An index receives approximately 50GB of data per day per indexer at an even and consistent rate. The customer would like to keep this data searchable for a minimum of 30 days. In addition, they have hourly scheduled searches that process a week’s worth of data and are quite sensitive to search performance.
Given ideal conditions (no restarts, nor drops/bursts in data volume), and following PS best practices, which of the following sets of indexes.conf settings can be leveraged to meet the requirements?

• A.- frozenTimePeriodInSecs, maxDataSize, maxVolumeDataSizeMB, maxHotBuckets
• B.- maxDataSize, maxTotalDataSizeMB, maxHotBuckets, maxGlobalDataSizeMB
• C.- maxDataSize, frozenTimePeriodInSecs, maxVolumeDataSizeMB
• D.- frozenTimePeriodInSecs, maxWarmDBCount, homePath.maxDataSizeMB,maxHotSpanSecs

답을 확인하기

정답:

Question No : 9

A customer wants to understand how Splunk bucket types (hot, warm, cold) impact search performance within their environment. Their indexers have a single storage device for all data.
What is the proper message to communicate to the customer?

• A.The bucket types (hot, warm, or cold) have the same search performance characteristics within the customer’s environment.
• B.While hot, warm, and cold buckets have the same search performance characteristics within the customers environment, due to their optimized structure, the thawed buckets are the most performant.
• C.Searching hot and warm buckets result in best performance because by default the cold buckets are miniaturized by removing TSIDX files to save on storage cost.
• D.Because the cold buckets are written to a cheaper/slower storage volume, they will be slower to search compared to hot and warm buckets which are written to Solid State Disk (SSD).

답을 확인하기

정답:

Question No : 10

A [script://]input sends data to a Splunk forwarder using which method?

• A.UDP stream
• B.TCP stream
• C.Temporary file
• D.STDOUT/STDERR

답을 확인하기

정답:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/latest/Admin/inputsconf

Question No : 11

A customer has a search cluster (SHC) of six members split evenly between two data centers (DC). The customer is concerned with network connectivity between the two DCs due to frequent outages.
Which of the following is true as it relates to SHC resiliency when a network outage occurs between the two DCs?

• A.The SHC will function as expected as the SHC deployer will become the new captain until the network communication is restored.
• B.The SHC will stop all scheduled search activity within the SH
• C.The SHC will function as expected as the minimum required number of nodes for a SHC is 3.
• D.The SHC will function as expected as the SHC captain will fall back to previous active captain in the remaining site.

답을 확인하기

정답:

Question No : 12

A customer wants to implement LDAP because managing local Splunk users is becoming too much of an overhead.
What configuration details are needed from the customer to implement LDAP authentication?

• A.API: Python script with PAM/RADIUS details.
• B.LDAP server: port, bind user credentials, path/to/groups, path/to/user.
• C.LDAP server: port, bind user credentials, base DN for groups, base DN for users.
• D.LDAP REST details, base DN for groups, base DN for users.

답을 확인하기

정답:
Explanation:
Reference: https://www.learnsplunk.com/splunk-ldap-authentication-configuration.html

Question No : 13

A site from a multi-site indexer cluster needs to be decommissioned.
Which of the following actions must be taken?

• A.Nothing. Decommissioning a site is not possible.
• B.Create an alias for where the new data should be sent.
• C.Remove the site from the list of available sites.
• D.Remove the site from the list of available sites and create an alias for where the new data should be sent.

답을 확인하기

정답:

Question No : 14

When a bucket rolls from cold to frozen on a clustered indexer, which of the following scenarios occurs?

• A.All replicated copies will be rolled to frozen; original copies will remain.
• B.Replicated copies of the bucket will remain on all other indexers and the Cluster Master (CM) assigns a new primary bucket.
• C.The bucket rolls to frozen on all clustered indexers simultaneously.
• D.Nothing. Replicated copies of the bucket will remain on all other indexers until a local retention rule causes it to roll.

답을 확인하기

정답:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.1.0/Indexer/Bucketsandclusters

Question No : 15

A customer has a new set of hardware to replace their aging indexers.
What method would reduce the amount of bucket replication operations during the migration process?

• A.Disable the indexing ports on the old indexers.
• B.Disable replication ports on the old indexers.
• C.Put the old indexers into manual detention.
• D.Put the old indexers into automatic detention.

답을 확인하기

정답: