cosas splunk

When monitoring directories that contain mixed file types, which setting should be omitted from inputs.conf and instead be overriden in props.conf?. sourcetype. host. source. index.

How are HTTP Event Collector (HEC) tokens configured in a managed Splunk Cloud environment?. Any token will be accepted by HEC, the data may just end up in the wrong index. A token is generated when configuring a HEC input, which should be provided to the application developers. Obtain a token from the organization’s application developers and apply it in Settings > Data Inputs > HTTP Event Collector > New Token. Open a support case for each new data input and a token will be provided.

The following Apache access log is being ingested into Splunk via a monitor input: How does Splunk determine the time zone for this event?. The value of the TZ attribute in props.conf for the access_combined sourcetype. The value of the TZ attribute in props.conf for the my.webserver.example host. The time zone of the Heavy/Intermediate Forwarder with the monitor input. The time zone indicator in the raw event data.

What syntax is required in inputs.conf to ingest data from files or directories?. A monitor stanza, sourcetype, and index is required to ingest data. A monitor stanza, sourcetype, index, and host is required to ingest data. A monitor stanza and sourcetype is required to ingest data. Only the monitor stanza is required to ingest data.

Which of the following are valid settings for file and directory monitor inputs?. host, index, source_length, _TCP_Routing, host_segment. host, index, sourcetype, _TCP_Routing, host_regex, host_segment. host, index, directory, host_regex, host_segment. host, index, sourcetype, _UDP_Routing, host_regex, host_segment.

Which of the following are features of a managed Splunk Cloud environment?. Availability of premium apps, no IP address whitelisting or blacklisting, deployed in US East AWS region. 20GB daily maximum data ingestion, no SSO integration, no availability of premium apps. Availability of premium apps, SSO integration, IP address whitelisting and blacklisting. Availability of premium apps, SSO integration, maximum concurrent search limit of 20.

Which of the following is correct in regard to configuring a Universal Forwarder as an Intermediate Forwarder?. This can only be turned on using the Settings > Forwarding and Receiving menu in Splunk Web/UI. The configuration changes can be made using Splunk Web, CLI, directly in configuration files, or via a deployment app. The configuration changes can be made using CLI, directly in configuration files, or via a deployment app. It is only possible to make this change directly in configuration files or via a deployment app.

It is only possible to make this change directly in configuration files or via a deployment app. Pauses a file monitor if the queue is full. Only creates a tail checkpoint of the monitored file. Ingests a file starting with new content and then reading older events. Prevents pre-existing content in a file from being ingested.

In case of a Change Request, which of the following should submit a support case for Splunk Support?. The party requesting the change. Certified Splunk Cloud administrator. Splunk infrastructure owner. Any person with the appropriate entitlement.

A monitor has been created in inputs.conf for a directory that contains a mix of file types. How would a Cloud Admin fine-tune assigned sourcetypes for different files in the directory during the input phase?. On the Indexer parsing the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza. On the forwarder collecting the data, leave sourcetype as automatic for the directory monitor. Then create a props.conf that assigns a specific sourcetype by source stanza. On the Indexer parsing the data, set multiple sourcetype_source attributes for the directory monitor collecting the files. Then create a props.conf that filters out unwanted files. On the forwarder collecting the data, set multiple sourcetype_source attributes for the directory monitor collecting the files. Then create a props.conf that filters out unwanted files.

Windows input types are collected in Splunk via a script which is configurable using the GUI. What is this type of input called?. Batch. Scripted. Modular. Front-end.

Which file or folder below is not a required part of a deployment app?. app.conf (in default or local). local.meta. metadata folder. props.conf.

Which of the following files is used for both search-time and index-time configuration?. inputs.conf. props.conf. macros.conf. savedsearch.conf.

What Splunk command will allow an administrator to view the runtime configuration instructions for a monitored file in inputs.conf on the forwarders?. ./splunk _internal call /services/data/inputs/filemonitor. ./splunk show config inputs.conf. ./splunk _internal rest /services/data/inputs/monitor. ./splunk show config inputs.

When should Splunk Cloud Support be contacted?. For scripted input troubleshooting. For all configuration changes. When unable to resolve issues or perform problem isolation. For resizing, license changes, or any purchases.

Where does the regex-replacement processor run?. Merging pipeline. Typing pipeline. Index pipeline. Parsing pipeline.

What is the correct syntax to monitor /apache/foo/logs, /apache/bar/logs, and /apache/bar/1/logs?. (monitor:///apache/*/logs]. (monitor:///apache/foo/logs, /apache/bar/logs, /apache/bar/1/logs]. [monitor:///apache/.../logs]. [monitor:///apache/foo/logs, /apache/bar/logs, and /apache/bar/1/logs].

In Splunk terminology, what is an index?. A data repository that contains raw, compressed data along with psidx files. A data repository that contains raw, compressed data along with tsidx files. A data repository that contains raw, uncompressed data along with psidx files. A data repository that contains raw, uncompressed data along with tsidx files.

When monitoring network inputs, there will be times when the forwarder is unable to send data to the indexers. Splunk uses a memory queue and a disk queue. Which setting is used for the disk queue?. queueSize. maxQueueSize. diskQueueSize. persistentQueueSize.

Which of the following takes place during the input phase?. Splunk annotates data with only 3 metadata keys: host, source, and sourcetype. Splunk sets the character encoding of the data. Splunk looks at the contents of the data to apply the correct source. Splunk breaks data into individual lines.

At what point in the indexing pipeline set is SEDCMD applied to data?. In the aggregator queue. In the parsing queue. In the exec pipeline. In the typing pipeline.

Which of the following stanzas would enable a TCP input on port 1025, allowing traffic from all IP addresses except 10.5.5.1?. [tcp://10.5.5.1:1025]. [tcp://1025] acceptFrom = !10.5.5.1. [tcp://1025]. [tcp://1025] acceptFrom = 10.5.5.1.

Which of the following is true when integrating LDAP authentication?. Splunk stores LDAP end user names and passwords on search heads. The mapping of LDAP groups to Splunk roles happens automatically. Splunk Cloud only supports Active Directory LDAP servers. New user data is cached the first time a user logs in.

When a forwarder phones home to a Deployment Server it compares the check-sum value of the forwarder’s app to the Deployment Server’s app. What happens to the app if the check-sum values do not match?. The app on the forwarder is always deleted and re-downloaded from the Deployment Server. The app on the forwarder is only deleted and re-downloaded from the Deployment Server if the forwarder’s app has a smaller check-sum value. The app is downloaded from the Deployment Server and the changes are merged. A warning is generated on the Deployment Server stating the apps are out of sync. An Admin will need to confirm which version of the app should be used.

When is data deleted from a Splunk Cloud index?. When buckets roll to frozen, without a defined archive. When data is deleted via the Splunk Cloud Admin GUI. When TA_Delete is downloaded and enabled from SplunkBase. When the deleteindex command is executed from the CLI.

What is the recommended method to test the onboarding of a new data source before putting it in production?. Send test data to a test index. Send data to the associated production index. Replicate Splunk deployment in a test environment. Send data to lastchanceindex.

Which of the following tasks is the responsibility of a Splunk Cloud administrator?. Configuring deployer. Configuring cluster master. Configuring indexers. Configuring indexes.

Which of the following is a correct statement about Universal Forwarders?. The Universal Forwarder must be able to contact the license master. Universal Forwarder must connect to Splunk Cloud via a Heavy Forwarder. Universal Forwarder can be an Intermediate Forwarder. The default output bandwidth is 500KBps.

Which of the following app installation scenarios can be achieved without involving Splunk Support?. Deploy premium apps. Install apps via the Request Install button. Install apps via self-service. Install apps that have not gone through the vetting process.

For the following data, what would be the correct attribute/value pair to use to successfully extract the correct timestamp from all the events?. TIME_FORMAT = %b %d %H:%M:%S %z. DATETIME_CONFIG = %Y-%m-%d %H:%M:%S %z. TIME_FORMAT = %b %d %H:%M:%S. DATETIME_CONFIG = %b %d %H:%M:%S.

Which monitor statement will retrieve only files that start with “access” in the directory /opt/log/www2/?. [monitor:///opt/log/.../access]. [monitor:///opt/log/www2/access*]. [monitor:///opt/log/www2/]. [monitor:///opt/log/.../].

Which of the following methods is valid for creating index-time field extractions?. Use the UI to create a sourcetype, specify the field name and corresponding regular expression with capture statement. Create a configuration app with the index-time props.conf and/or transforms.conf, and upload the app via UI. Use the CLI app to define settings in fields.conf, and restart Splunk Cloud. Use the rex command to extract the desired field, and then save as a calculated field.

Which of the following statements regarding apps in Splunk Cloud is true?. Self-service install of premium apps is possible. Only Cloud certified and vetted apps are supported. Any app that can be deployed in an on-prem Splunk Enterprise environment is also supported on Splunk Cloud. Self-service install is available for all apps on Splunkbase.

When using Splunk Universal Forwarders, which of the following is true?. No more than six Universal Forwarders may connect directly to Splunk Cloud. Any number of Universal Forwarders may connect directly to Splunk Cloud. Universal Forwarders must send data to an Intermediate Forwarder. There must be one Intermediate Forwarder for every three Universal Forwarders.

In which of the following situations should Splunk Support be contacted?. When a custom search needs tuning due to not performing as expected. When an app on Splunkbase indicates Request Install. Before using the delete command. When a new role that mirrors sc_admin is required.

Which of the following is not a path used by Splunk to execute scripts?. SPLUNK_HOME/etc/system/bin. SPLUNK_HOME/etc/apps/<app_name>/bin. SPLUNK_HOME/etc/scripts/local. SPLUNK_HOME/bin/scripts.

Which of the following statements is true about data transformations using SEDCMD?. Can only be used to mask or truncate raw data. Configured in props.conf and transforms.conf. Can be used to manipulate the sourcetype per event. Operates on a REGEX pattern match of the source, sourcetype, or host of an event.

Consider the following configurations: NULL, or unset, due to configuration conflict. access_combined. linux_secure. linux_secure, access_combined.

Which of the following lists all parameters supported by the acceptFrom argument?. IPv4, IPv6, CIDRs, DNS names, Wildcards. IPv4, IPv6, CIDRs, DNS names. CIDRs, DNS names, Wildcards. IPv4, CIDRs, DNS names, Wildcards.

Which of the following tasks is not managed by the Splunk Cloud administrator?. Forwarding events to Splunk Cloud. Upgrading the indexer’s Splunk software. Managing knowledge objects. Creating users and roles.

What is a private app?. An app where only a specific role has read and write access. An app that is only viewable by a specific user. An app that is created and used only by a specific organization. An app where only a specific role has read access.

Which of the following is true when using Intermediate Forwarders?. Intermediate Forwarders may be a mix of Universal and Heavy Forwarders. All Intermediate Forwarders must be Heavy Forwarders. Intermediate Forwarders may be Universal Forwarders or Heavy Forwarders, but may not be mixed. All Intermediate Forwarders must be Universal Forwarders.

Which of the following is a valid stanza in props.conf?. [sourcetype::linux_secure]. [host=nyc25]. [host::nyc*]. [host=nyc*].

Which of the following is not considered a best practice for the deployment server?. Create small, single-purpose deployment apps. Dedicate a Splunk instance as the deployment server. Use a Linux server as the deployment server. Create large, multi-purpose deployment apps.

A Splunk Cloud administrator is looking to allow a new group of Splunk users in the marketing department to access the Splunk environment and view a dashboard with relevant data. These users need to access marketing data (stored in the marketing_data index), but shouldn’t be able to access other data, such as events related to security or operations. Which approach would be the best way to accomplish these requirements?. Create a new user with access to the marketing_data index assigned. Create a new role that inherits the user role and remove the capability to search indexes other than marketing_data. Create a new role that inherits the admin role and assign access to the marketing_data index. Create a new role that does not inherit from any other role, turn on the same capabilities as the user role, and assign access to the marketing_data index.

Files from multiple systems are being stored on a centralized log server. The files are organized into directories based on the original server they came from. Which of the following is a recommended approach for correctly setting the host values based on their origin?. Use the host_segment setting. Set host = * in the monitor stanza. The host value cannot be dynamically set. Manually create a separate monitor stanza for each host, with the host = value set.

In which file can the SHOULD_LINEMERGE setting be modified?. transforms.conf. inputs.conf. props.conf. outputs.conf.

What is the recommended approach to collect data from network devices?. TCP/UDP Feed > Heavy Forwarder > Intermediate Forwarder > Splunk Cloud. TCP/UDP Feed > Syslog Server with Universal Forwarder > Splunk Cloud. TCP/UDP Feed > Universal Forwarder > Intermediate Forwarder > Splunk Cloud. TCP/UDP Feed > Intermediate Forwarder > Heavy Forwarder > Splunk Cloud.

Which of the following is an accurate statement about the delete command?. The delete command removes events from disk. By default, only admins can run the delete command. Events are virtually deleted by marking them as deleted. Deleting events reclaims disk space.

What can be used in a Splunk Cloud environment to create new sourcetypes?. Data Preview. props.conf can be edited directly from the GUI. Splunk’s CLI. Deployment Server.

Which statement is true about monitor inputs?. Monitor inputs are configured in the monitor.conf file. The ignoreOlderThan option allows files to be ignored based on the file modification time. The crcSalt setting is required. Monitor inputs can ignore a file’s existing content, indexing new data as it arrives, by configuring the tailProcessor option.

Where is the recommended place to deploy input apps that are not permitted on Splunk Cloud?. Universal Forwarder or Heavy Forwarder. Heavy Forwarder only. Universal Forwarder only. Apps cannot be installed on on-prem instances.

In what scenarios would transforms.conf be used?. Per-Event Index Routing, Applying Event Types, SEDCMD operations. Per-Event Sourcetype, Per-Event Host Name, Per-Event Index Routing. Per-Event Host Name, Per-Event Index Routing, SEDCMD operations. Per-Event Sourcetype, Per-Event Index Routing, Applying Event Types.

Li was asked to create a Splunk configuration to monitor syslog files stored on Linux servers at their organization. This configuration will be pushed out to multiple systems via a Splunk app using the on-prem deployment server. The system administrators have provided Li with a directory listing for the logging locations on three syslog hosts, which are representative of the file structure for all systems collecting this data. An example from each system is shown below: Host: syslog01 - File path: /var/log/network/syslog01/linux_secure/syslog.log Host: syslog02 - File path: /var/log/network/syslog02/linux_secure/syslog.log Host: us-syslog-01 - File path: /var/log/network/us-syslog-01/linux_secure/syslog.log.2020090801 Which monitor:// stanza could Li use in their app to ensure all three of these files are ingested into Splunk?. [monitor:///var/log/network/syslog*/linux_secure/*]. [monitor:///var/log/network/*syslog*/linux_secure/syslog.log]. [monitor:///var/log/network/*syslog*/linux_secure/syslog.log.*]. [monitor:///var/log/network/*syslog*/linux_secure/syslog.log*].

By default, which of the following capabilities are granted to the sc_admin role?. indexes_edit, edit_token_http, admin_all_objects, delete_by_keyword. indexes_edit, fsh_manage, acs_conf, list_indexerdiscovery. indexes_edit, fsh_manage, admin_all_objects, can_delete. indexes_edit, edit_token_http, admin_all_objects, edit_limits_conf.

When adding a directory monitor and specifying a sourcetype explicitly, it applies to all files in the directory and subdirectories. If automatic sourcetyping is used, a user can selectively override it in which file on the forwarder?. transforms.conf. props.conf. inputs.conf. outputs.conf.

Which of the following is the default bandwidth limit in the Splunk Universal Forwarder credentials package?. 0 KBps. 256 KBps. 512 KBps. 1024 KBps.

A customer wants to mask unstructured data before sending it to Splunk Cloud. Where should SEDCMD be configured for this?. props.conf on a Splunk Cloud search head. props.conf on a Heavy Forwarder. transforms.conf on a Splunk Cloud indexer. props.conf on a Universal Forwarder.

Which of the following files is used for both search-time and index-time configuration?. inputs.conf. props.conf. macros.conf. savesearch.conf.

Given the following set of files, which of the monitor stanzas below will result in Splunk monitoring all of the files ending with .log? Files: /var/log/www1/secure.log /var/log/www1/access.log /var/log/www2/logs/secure.log /var/log/www2/access.log /var/log/www2/access.log.1. [monitor:///var/log/*/*.log]. [monitor:///var/log/.../*.log]. [monitor:///var/log/*/*]. [monitor:///var/log/.../*].

A log file is being ingested into Splunk, and a few events have no date stamp. How would Splunk first try to determine the missing date of the events?. Splunk will take the date of a previous event within the log file. Splunk will use the current system time of the Indexer for the date. Splunk will use the date of when the file monitor was created. Splunk will take the date from the file modification time.

An index in Splunk is best described as which of the following?. A query language for data search. A real-time data monitoring tool. A structured database like SQL. A repository for parsed and searchable data.

How can data be deleted from an index in Splunk?. By using the 'clean' command. Through the Splunk Web interface. By using the 'delete' command. By modifying the rawdata files directly.

What is the name of the configuration file where you can define data transformations using regular expressions and other attributes?. transforms.conf. inputs.conf. props.conf. limits.conf.

Which of these tasks would typically be managed by a Splunk Cloud administrator? (Choose two). Creating and managing Splunk alerts. Physical server maintenance. Managing app and add-on installations. Designing network infrastructure.

What is the name of the option that you need to check in Splunk Web to enable LDAP authentication for your Splunk Cloud Platform deployment?. External/LDAP. External. LDAP/External. LDAP.

In Splunk Cloud topology, what role does the "Deployment Server" play?. Manages user accounts and authentication. Distributes configurations to forwarders. Aggregates and analyzes log data. Provides hardware and network support.

Which configuration file needs to be edited to configure the universal forwarder to act as a deployment client?. deploymentclient.conf. outputs.conf. server.conf. inputs.conf.

Deployment apps in Splunk can be used to manage forwarders in which ways?. Providing real-time data analysis. Distributing configuration changes and updates. Storing data locally on the forwarders. Encrypting data on the forwarders.

Which feature of forwarders can prevent data loss in case of network failure or congestion?. Data compression. Configurable buffering. Persistent queues. SSL security.

Which setting in inputs.conf can be used to set the host field to a static value for a monitor input?. host. host_override. host_segment. host_regex.

Which configuration file parameter can be used to modify line termination settings interactively, using the Set Source Type page in Splunk Web?. LINE_BREAKER. SHOULD_LINEMERGE. BREAK_ONLY_BEFORE. TRUNCATE.

75. What is the name of the process that breaks the stream of raw data into individual lines called events?. Line breaking. Event annotation. Event transformation. Timestamp extraction.

What is the name of the configuration file where you can specify the source type for a data input?. limits.conf. props.conf. inputs.conf. transforms.conf.

What is the name of the Splunk Cloud feature that allows you to get data from APIs and other remote data interfaces through scripted inputs?. Splunk Cloud Data Connectors. Splunk Cloud Data Integrations. Splunk Cloud Data Collectors. Splunk Cloud Data Sources.

Which configuration file needs to be edited to enable local indexing on the forwarder?. outputs.conf. inputs.conf. props.conf. transforms.conf.

What is the name of the default field that stores the timestamps in UNIX time when data is indexed?. _time. _timestamp. _date. _epoch.

What is the name of the tab in Splunk Web where you can set the indexes that a role can access?. Inheritance. Capabilities. Indexes. Restrictions.

Which feature of forwarders can prevent data loss in case of network failure or congestion?. Data compression. SSL security. Configurable buffering. Persistent queues.

Which type of forwarder can act as an intermediate forwarder to receive data from other forwarders and send it to the indexer?. Universal forwarder. Heavy forwarder. Light forwarder. Any type of forwarder.

Which type of forwarder can perform data parsing and enrichment before sending it to the indexer?. Universal forwarder. Heavy forwarder. Deployment server. Search head.

Which setting in inputs.conf can be used to specify the SSL certificate for a TCP or UDP input?. sslCertPath. sslRootCAPath. sslPassword. All of the above.

What is the name of the component that acts as a data manager and sends data to Splunk Cloud Platform indexers?. Heavy forwarder. Universal forwarder. Deployment server. License master.

Which file processor can be used to index files that are not actively written to or updated?. Monitor. MonitornoHandle. Upload. None of the above.

Which type of forwarder is a full Splunk Enterprise instance that can run apps and add-ons?. Universal forwarder. Heavy forwarder. Deployment server. Search head.

Which configuration file needs to be edited to configure the universal forwarder to act as a deployment client?. deploymentclient.conf. server.conf. outputs.conf. inputs.conf.

Which command can be used to install a universal forwarder on a Linux system?. splunk install forwarder. splunk forwarder install. splunk add forward-server. splunk enable boot-start.

Which setting in inputs.conf can be used to specify the command to run the script for a scripted input?. Script. Command. Exec. Run.

What is the main advantage of self-service Splunk Cloud over managed Splunk Cloud in terms of cost and control?. Self-service Splunk Cloud costs more to get started and maintain but allows your organization total control in setup and security configurations. Self-service Splunk Cloud costs less to get started and maintain and allows your organization total control in setup and security configurations. Self-service Splunk Cloud costs more to get started and maintain and requires your organization to rely on Splunk for setup and security configurations. Self-service Splunk Cloud costs less to get started and maintain but requires your organization to rely on Splunk for setup and security configurations.

Which option in Splunk web can be used to access the Guided Data On-boarding feature?. Add data. Data inputs. Data summary. Data models.

Which Windows-specific input type allows Splunk software to read special Windows log files such as the DNS debug server log?. MonitorNoHandle. Windows Event Log. Windows Registry. Windows Management Instrumentation (WMI).

What is the name of the dashboard that provides information on incoming data consumption and indexing rate for your Splunk Cloud Platform deployment?. Indexing Performance. Indexing Quality. Indexing Status. Indexing Overview.

Which configuration file determines how a universal forwarder forwards data to the indexer?. inputs.conf. outputs.conf. props.conf. transforms.conf.

What is the name of the attribute that specifies the sed script for data transformation in the props.conf file?. SEDCMD. FORMAT. DEST_KEY. TRANSFORMS.

Which setting in inputs.conf can be used to specify the interval at which the script runs for a scripted input?. Interval. Frequency. Schedule. Cron.

Which Splunk add-on simplifies the process of getting data into Splunk Cloud Platform from Windows Event Log channels?. Splunk Add-on for Windows. Splunk Add-on for Infrastructure. Splunk Add-on for Active Directory. Splunk Add-on for DNS.