NEW QUESTION 1
Which Splunk forwarder type allows parsing of data before forwarding to an indexer?

• A. Universal forwarder
• B. Parsing forwarder
• C. Heavy forwarder
• D. Advanced forwarder

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/SplunkCloud/7.2.6/Forwarding/Typesofforwarders

NEW QUESTION 2
Where are license files stored?

• A. $SPLUNK_HOME/etc/secure
• B. $SPLUNK_HOME/etc/system
• C. $SPLUNK_HOME/etc/licenses
• D. $SPLUNK_HOME/etc/apps/licenses

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/LicenserCLIcommands

NEW QUESTION 3
When deploying apps, which attribute in the forwarder management interface determines the apps that clients install?

• A. App Class
• B. Client Class
• C. Server Class
• D. Forwarder Class

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Updating/Createdeploymentapps

NEW QUESTION 4
Which parent directory contains the configuration files in Splunk?

• A. $SPLUNK_HOME/etc
• B. $SPLUNK_HOME/var
• C. $SPLUNK_HOME/conf
• D. $SPLUNK_HOME/default

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Configurationfiledirectories

NEW QUESTION 5
How do you remove missing forwarders from the Monitoring Console?

• A. By restarting Splunk.
• B. By rescanning active forwarders.
• C. By reloading the deployment server.
• D. By rebuilding the forwarder asset table.

Answer: D

Explanation:
Reference: https://answers.splunk.com/answers/447096/how-to-remove-missing-forwarders-from-the-distribu.html

NEW QUESTION 6
What options are available when creating custom roles? (Select all that apply.)

• A. Restrict search terms.
• B. Whitelist search terms.
• C. Limit the number of concurrent search jobs.
• D. Allow or restrict indexes that can be searched.

Answer: AD

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.2.6/Security/Aboutusersandroles

NEW QUESTION 7
Which option accurately describes the purpose of the HTTP Event Collector (HEC)?

• A. A token-based HTTP input that is secure and scalable and that requires the use of forwarders.
• B. A token-based HTTP input that is secure and scalable and that does not require the use of forwarders.
• C. An agent-based HTTP input that is secure and scalable and that does not require the use of forwarders.
• D. A token-based HTTP input that is insecure and non-scalable and that does not require the use of forwarders.

Answer: B

Explanation:
Reference: http://dev.splunk.com/view/event-collector/SP-CAAAE6M

NEW QUESTION 8
Which of the following are supported configuration methods to add inputs on a forwarder? (Select all that apply.)

• A. CLI
• B. Edit inputs.conf
• C. Edit forwarder.conf
• D. Forwarder Management

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Forwarder/7.3.1/Forwarder/Configuretheuniversalforwarder

NEW QUESTION 9
Which Splunk indexer operating system platform is supported when sending logs from a Windows universal forwarder?

• A. Any OS platform.
• B. Linux platform only.
• C. Windows platform only.
• D. None of the above.

Answer: C

NEW QUESTION 10
Which of the following apply to how distributed search works? (Select all that apply.)

• A. The search head dispatches searches to the peers.
• B. The search peers pull the data from the forwarders.
• C. Peers run searches in parallel and return their portion of results.
• D. The search head consolidates the individual results and prepares reports.

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/DistSearch/Whatisdistributedsearch

NEW QUESTION 11
With authentication methods are natively supported within Splunk Enterprise? (Select all that apply.)

• A. LDAP
• B. SAML
• C. RADIUS
• D. Duo Multifactor Authentication

Answer: AD

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/SetupuserauthenticationwithSplunk

NEW QUESTION 12
Where should apps be located on the deployment server that the clients pull from?

• A. $SPLUNK_HOME/etc/apps
• B. $SPLUNK_HOME/etc/search
• C. $SPLUNK_HOME/etc/master-apps
• D. $SPLUNK_HOME/etc/deployment-apps

Answer: A

Explanation:
Reference: https://answers.splunk.com/answers/371099/how-to-configure-deployment-apps-to-push-to-client.html

NEW QUESTION 13
The priority of layered Splunk configuration files depends on the file’s:

• A. Owner
• B. Weight
• C. Context
• D. Creation time

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

NEW QUESTION 14
What is the correct order of steps in Duo Multifactor Authentication?

• A. * 1. Request Login* 2. Connect to SAML server* 3. Duo MFA* 4. Create User session* 5. Authentication Granted* 6. Log into Splunk
• B. * 1. Request Login* 2. Duo MFA* 3. Authentication Granted* 4. Connect to SAML server* 5. Log into Splunk* 6. Create User session
• C. * 1. Request Login* 2. Check authentication / group mapping* 3. Authentication Granted* 4. Duo MFA* 5. Create User session* 6. Log into Splunk
• D. * 1. Request Login* 2. Duo MFA* 3. Check authentication / group mapping* 4. Create User session* 5. Authentication Granted* 6. Log into Splunk

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Security/ConfigureDuo

NEW QUESTION 15
To set up a network input in Splunk, what needs to be specified?

• A. File path.
• B. Username and password.
• C. Network protocol and port number.
• D. Network protocol and MAC address.

Answer: A

Explanation:
Reference: http://dev.splunk.com/view/dev -guide/SP-CAAAE3A

NEW QUESTION 16
In which Splunk configuration is the SEDCMD used?

• A. props.conf
• B. inputs.conf
• C. indexes.conf
• D. transforms.conf

Answer: A

Explanation:
Reference: https://answers.splunk.com/answers/212128/why-sedcmd-configured-in-propsconf-is-working-duri.html

NEW QUESTION 17
Which of the following enables compression for universal forwarders in outputs.conf?

• A. [udpout:mysplunk_indexer11] compression=true
• B. [tcpout] defaultGroup=my_indexers compressed=true
• C. /opt/splunkforwarder/bin/splunk enable compression
• D. [tcpount:my_indexers] server=mysplunk_indexer1:9997, mysplunk_indexer2:9997 decompression=false

Answer: B

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Outputsconf

NEW QUESTION 18
Which Splunk component consolidates the individual results and prepares reports in a distributed environment?

• A. Indexers
• B. Forwarder
• C. Search head
• D. Search peers

Answer: A

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/Advancedindexingstrategy

NEW QUESTION 19
Which setting in indexes.conf allows data retention to be controlled by time?

• A. maxDaysToKeep
• B. moveToFrozenAfter
• C. maxDataRetentionTime
• D. frozenTimePeriodInSecs

Answer: D

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Indexer/SmartStoredataretention

NEW QUESTION 20
Which layers are involved in Splunk configuration file layering? (Select all that apply.)

• A. App context
• B. User context
• C. Global context
• D. Forwarder context

Answer: AC

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Admin/Wheretofindtheconfigurationfiles

NEW QUESTION 21
Which of the following statements apply to directory inputs? (Select all that apply.)

• A. All discovered text files are consumed.
• B. Compressed files are ignored by default.
• C. Splunk recursively traverses through the directory structure.
• D. When adding new log files to a monitored directory, the forwarder must be restarted to take them into account.

Answer: C

Explanation:
Reference: https://answers.splunk.com/answers/133875/recursive-monitoring-of -directories.html

NEW QUESTION 22
During search time, which directory of configuration files has the highest precedence?

• A. $SPLUNK_HOME/etc/system/local
• B. $SPLUNK_HOME/etc/system/default
• C. $SPLUNK_HOME/etc/apps/app1/local
• D. $SPLUNK_HOME/etc/users/admin/local

Answer: C

Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.0/Admin/Wheretofindtheconfigurationfiles

NEW QUESTION 23
......