Sistema y Datos

Which of the following is true regarding LDAP integration with Splunk Enterprise?. Having the change authentication capability will not allow setup of the LDAP integration. Mappings can be changed at any time if the user has the power role. A user cannot log in via LDAP unless they have an associated Splunk role. LDAP integration will not function unless all groups are mapped to an LDAP group.

What action is required to enable forwarder management in Splunk Web?. Navigate to Settings > Server Settings > General Settings, and set an App server port. Navigate to Settings > Forwarding and receiving, and click on Enable Forwarding. Create a server class and map it to a client inSPLUNK_HOME/etc/system/local/serverclass.conf. Place an app in theSPLUNK_HOME/etc/deployment-appsdirectory of the deployment server.

Which optional configuration setting in inputs .conf allows you to selectively forward the data to specific indexer(s)?. _TCP_ROUTING. _INDEXER_LIST. _INDEXER_GROUP. _INDEXER ROUTING.

Which layers are involved in Splunk configuration file layering? (select all that apply). App context. User context. Global context. Forwarder context.

What are the minimum required settings when creating a network input in Splunk?. Protocol, port number. Protocol, port, location. Protocol, username, port. Protocol, IP. port number.

Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations found in props.conf to be validated all through the UI?. Apps. Search. Data preview. Forwarder inputs.

What are the required stanza attributes when configuring the transforms. conf to manipulate or remove events?. REGEX, DEST. FORMAT. REGEX.SRC_KEY, FORMAT. REGEX, DEST_KEY, FORMAT. REGEX, DEST_KEY FORMATTING.

Where are license files stored?. $SPLUNK_HOME/etc/secure. $SPLUNK_HOME/etc/system. $SPLUNK_HOME/etc/licenses. $SPLUNK_HOME/etc/apps/licenses.

After an Enterprise Trial license expires, it will automatically convert to a Free license. How many days is an Enterprise Trial license valid before this conversion occurs?. 90 days. 60 days. 7 days. 14 days.

When would the following command be used?. To verify' the integrity of a local index. To verify the integrity of a SmartStore index. To verify the integrity of a SmartStore bucket. To verify the integrity of a local bucket.

An organization wants to collect Windows performance data from a set of clients, however, installing Splunk software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?. Use Local Windows host monitoring. Use Windows Remote Inputs with WMI. Use Local Windows network monitoring. Use an index with an Index Data Type of Metrics.

What is the order of precedence (from lowest # highest) within serverclass.conf in which attributes will be expressed?. [global] # [serverClass:<name>] # [serverClass:<name>:client:<client.name>]. [global] # [serverClass:<name>] # [app:<appname>]. [global] # [serverClass:<name>] # [serverClass:<name>:app:<appname>]. [global] # [serverClass:<name>] # [serverClass:<name>:client:<client.name>:user:<username>].

Load balancing on a Universal Forwarder is not scaling correctly. The forwarder's outputs. and the tcpout stanza are setup correctly. What else could be the cause of this scaling issue? (select all that apply). The receiving port is not properly setup to listen on the right port. The inputs . conf'S _SYSZOG_ROVTING is not setup to use the right group names. The DNS record used is not setup with a valid list of IP addresses. The indexAndForward value is not set properly.

Which of the following lists the three phases of the Splunk Indexing process in order?. Ingest phaseLicensing phaseParsing phase. Sourcetype phaseIndex phaseWrite-to-disk phase. Input phaseParsing phaseIndexing phase. Ingest phaseTransforming phaseIndexing phase.

Which of the following is a benefit of distributed search?. Peers run search in sequence. Peers run search in parallel. Resilience from indexer failure. Resilience from search head failure.

All search-time field extractions should be specified on which Splunk component?. Deployment server. Universal forwarder. Indexer. Search head.

Which setting allows the configuration of Splunk to allow events to span over more than one line?. SHOULD_LINEMERGE = true. BREAK_ONLY_BEFORE_DATE = true. BREAK_ONLY_BEFORE = <REGEX pattern>. SHOULD_LINEMERGE = false.

Which of the following statements describe deployment management? (select all that apply). Requires an Enterprise license. Is responsible for sending apps to forwarders. Once used, is the only way to manage forwarders. Can automatically restart the host OS running the forwarder.

Which of the following Splunk components require a separate installation package?. Deployment server. License master. Universal forwarder. Heavy forwarder.

When configuring HTTP Event Collector (HEC) input, how would one ensure the events have been indexed?. Enable indexer acknowledgment. Enable forwarder acknowledgment. splunk check-integrity -index <index name>. index=_internal component=ACK | stats count by host.

How does the Monitoring Console monitor forwarders?. By pulling internal logs from forwarders. By using the forwarder monitoring add-on. With internal logs forwarded by forwarders. With internal logs forwarded by deployment server.

How is a remote monitor input distributed to forwarders?. As an app. As a forward.conf file. As a monitor.conf file. As a forwarder monitor profile.

A non-clustered Splunk environment has three indexers (A,B,C) and two search heads (X, Y). During a search executed on search head X, indexer A crashes. What is Splunk's response?. Update the user in Splunk web informing them that the results of their search may be incomplete. Repeat the search request on indexer B without informing the user. Update the user in Splunk web that their results may be incomple and that Splunk will try to re-execute the search. Inform the user in Splunk web that their results may be incomplete and have them attempt the search from search head Y.

There is a file with a vast amount of old data. Which of the following inputs.conf attributes would allow an admin to monitor the file for updates without indexing the pre-existing data?. IgnoreOlderThan. allowList. monitor. followTail.

How do you remove missing forwarders from the Monitoring Console?. By restarting Splunk. By rescanning active forwarders. By reloading the deployment server. By rebuilding the forwarder asset table.

This file has been manually created on a universal forwarder \opt\splunkforwarder\etc\apps\my_TA\local\inputs.conf [monitor:///var/log/messages] sourcetype:syslog index=syslog A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new inputs.conf file: \opt\splunkforwarder\etc\apps\my_TA\local\inputs.conf [monitor:///var/log/maillog] sourcetype:maillog index=syslog Which file is now monitored?. /var/log/messages. /var/log/maillog. /var/log/maillog and /var/log/messages. none of the above.

What is the name of the object that stores events inside of an index?. Container. Bucket. Data layer. Indexer.

When does a warm bucket roll over to a cold bucket?. When Splunk is restarted. When the maximum warm bucket age has been reached. When the maximum warm bucket size has been reached. When the maximum number of warm buckets is reached.

After configuring a universal forwarder to communicate with an indexer, which index can be checked via the Splunk Web UI for a successful connection?. index=main. index=test. index=summary. index=_internal.

Which network input option provides durable file-system buffering of data to mitigate data loss due to network outages and splunkd restarts?. diskQueueSize. durableQueueSizeC persistentOueueSize. queueSize.

Which of the following describes a Splunk deployment server?. A Splunk Forwarder that deploys data to multiple indexers. A Splunk app installed on a Splunk Enterprise server. A Splunk Enterprise server that distributes apps. A server that automates the deployment of Splunk Enterprise to remote servers.

The following stanzas in inputs. conf are currently being used by a deployment client: [udp: //145.175.118.177:1001 Connection_host = dns sourcetype = syslog] Which of the following statements is true of data that is received via this input?. If Splunk is restarted, data will be queued and then sent when Splunk has restarted. Local firewall ports do not need to be opened on the deployment client since the port is defined in inputs.conf. The host value associated with data received will be the IP address that sent the data. If Splunk is restarted, data may be lost.

Which of the following are available input methods when adding a file input in Splunk Web? (Choose all that apply.). Index once. Monitor interval. On-demand monitor. Continuously monitor.

Which of the following statements accurately describes using SSL to secure the feed from a forwarder?. It does not encrypt the certificate password. SSL automatically compresses the feed by default. It requires that the forwarder be set to compressed=true. It requires that the receiver be set to compression=true.

In addition to single, non-clustered Splunk instances, what else can the deployment server push apps to?. Universal forwarders. Splunk Cloud. Linux package managers. Windows using WMI.

Who provides the Application Secret, Integration, and Secret keys, as well as the API Hostname when setting up Duo for Multi-Factor Authentication in Splunk Enterprise?. Duo Administrator. LDAP Administrator. SAML Administrator. Trio Administrator.

When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?. On Universal Forwarder, $SPLUNK_HOME/etc/apps. On Deployment Server, $SPLUNK_HOME/etc/apps. On Deployment Server, $SPLUNK_HOME/etc/deployment-apps. On Universal Forwarder, $SPLUNK_HOME/etc/deployment-apps.

In this example, ifuseACKis set to true and themaxQueueSizeis set to 7MB, what is the size of the wait queue on this universal forwarder?. 21MB. 28MB. 14MB. 7MB.

What is the valid option for a [monitor] stanza in inputs.conf?. enabled. datasource. server_name. ignoreOlderThan.

Which of the following is valid distribute search group?. option A. option B. option C. option D.

How often does Splunk recheck the LDAP server?. Every 5 minutes. Each time a user logs in. Each time Splunk is restarted. Varies based on LDAP_refresh setting.

What is a role in Splunk? (select all that apply). A classification that determines what capabilities a user has. A classification that determines if a Splunk server can remotely control another Splunk server. A classification that determines what functions a Splunk server controls. A classification that determines what indexes a user can search.

For single line event sourcetypes. it is most efficient to set SHOULD_linemerge to what value?. True. False. <regex string>. Newline Character.

Which of the following are supported options when configuring optional network inputs?. Metadata override, sender filtering options, network input queues (quantum queues). Metadata override, sender filtering options, network input queues (memory/persistent queues). Filename override, sender filtering options, network output queues (memory/persistent queues). Metadata override, receiver filtering options, network input queues (memory/persistent queues).

What event-processing pipelines are used to process data for indexing? (select all that apply). fifo pipeline. Indexing pipeline. Parsing pipeline. Typing pipeline.

Search heads in a company's European offices need to be able to search data in their New York offices. They also need to restrict access to certain indexers. What should be configured to allow this type of action?. Indexer clustering. LDAP control. Distributed search. Search head clustering.

Which of the following are reasons to create separate indexes? (Choose all that apply.). Different retention times. Increase number of users. Restrict user permissions. File organization.

The following stanza is active in indexes.conf: [cat_facts] maxHotSpanSecs = 3600 frozenTimePeriodInSecs = 2630000 maxTota1DataSizeMB = 650000 All other related indexes.conf settings are default values. If the event timestamp was 3739283 seconds ago, will it be searchable?. Yes, only if the bucket is still hot. No, because the index will have exceeded its maximum size. Yes, only if the index size is also below 650000 MB. No, because the event time is greater than the retention time.

Which default Splunk role could be assigned to provide users with the following capabilities? Create saved searches Edit shared objects and alerts Not allowed to create custom roles. admin. power. user. splunk-system-role.

What is the default value of LINE_BREAKER?. \r\n. ([\r\n]+). \r+\n+. (\r\n+).

Which of the following statements describes how distributed search works?. Forwarders pull data from the search peers. Search heads store a portion of the searchable data. The search head dispatches searches to the search peers. Search results are replicated within the indexer cluster.

Which Splunk component performs indexing and responds to search requests from the search head?. Forwarder. Search peer. License master. Search head cluster.

When Splunk is integrated with LDAP, which attribute can be changed in the Splunk UI for an LDAP user?. Default app. LDAP group. Password. Username.

What will the following inputs. conf stanza do? [script://myscript . sh] Interval=0. The script will run at the default interval of 60 seconds. The script will not be run. The script will be run only once for each time Splunk is restarted. The script will be run. As soon as the script exits, Splunk restarts it.

Which Splunk component distributes apps and certain other configuration updates to search head cluster members?. Deployer. Cluster master. Deployment server. Search head cluster master.

When using license pools, volume allocations apply to which Splunk components?. Indexers. Indexes. Heavy Forwarders. Search Heads.

In case of a conflict between a whitelist and a blacklist input setting, which one is used?. Blacklist. Whitelist. They cancel each other out. Whichever is entered into the configuration first.

Which of the following is the recommended guideline for creating a new user role?. Create a role that incorporates capabilities and index inheritance. Create a new unique role for each unique user. There are no recommended guidelines when creating new user roles. Create two roles based on capabilities and indexes, then utilize inheritance.

Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.). props.conf. inputs.conf. rawdata.conf. transforms.conf.

Which parent directory contains the configuration files in Splunk?. SSFLUNK_HOME/etc. SSPLUNK_HOME/var. SSPLUNK_HOME/conf. SSPLUNK_HOME/default.

Which configuration file would be used to forward the Splunk internal logs from a search head to the indexer?. props.conf. inputs.conf. outputs.conf. collections.conf.

A new forwarder has been installed with a manually createddeploymentclient.conf. What is the next step to enable the communication between the forwarder and the deployment server?. Restart Splunk on the deployment server. Enable the deployment client in Splunk Web under Forwarder Management. Restart Splunk on the deployment client. Wait for up to the time set in thephoneHomeIntervalInSecssetting.

Which of the following is a valid method to create a Splunk user?. Create a support ticket. Create a user on the host operating system. Splunk REST API. Add the username to users. conf.

What is the correct curl to send multiple events through HTTP Event Collector?. Curl "https://mysplunkserver.example.com:8088/services/collector" \ -H "Authorization: Splunk DF4S7ZE43GS1-8SFS-E777-0284GG91PF67" \ -d '{"event": "Hello World"}, {"event": "Hola Mundo"}, {"event": "Hallo Welt"}'. a.

Syslog files are being monitored on a Heavy Forwarder. Where would the appropriate TRANSFORMS setting be deployed to reroute logs based on the event message?. Heavy Forwarder. Indexer. Search head. Deployment server.

The priority of layered Splunk configuration files depends on the file's: Owner. Weight. Context. Creation time.

A Splunk administrator has been tasked with developing a retention strategy to have frequently accessed data sets on SSD storage and to have older, less frequently accessed data on slower NAS storage. They have set a mount point for the NAS. Which parameter do they need to modify to set the path for the older, less frequently accessed data in indexes.conf?. homepath. thawedPath. summaryHomePath. colddeath.

In which phase do indexed extractions in props.conf occur?. Inputs phase. Parsing phase. Indexing phase. Searching phase.

What is required when adding a native user to Splunk? (select all that apply). Password. Username. Full Name. Default app.

When running the command shown below, what is the default path in which deployment server. conf is created? splunk set deploy-poll deployServer:port. SFLUNK_HOME/etc/deployment. SPLUNK_HOME/etc/system/local. SPLUNK_HOME/etc/system/default. SPLUNK_KOME/etc/apps/deployment.

Which additional component is required for a search head cluster?. Deployer. Cluster Master. Monitoring Console. Management Console.

After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?. channelTTL. connectionTimeout. autoLBFrequency. secsInFailurelnterval.

What type of Splunk license is pre-selected in a brand new Splunk installation?. Free license. Forwarder license. Enterprise trial license. Enterprise license.

Which of the following CLI commands removes a search peer from Distributed Search?. splunk remove search-server -auth admin:password 123.45.67.89:8089. splunk clear search-server -auth admin:password 123.45.67.89:8089. splunk clear search-peer -auth admin:password 123.45.67.89:8089. splunk remove search-peer -auth admin:password 123.45.67.89:8089.

In inputs. conf, which stanza would mean Splunk was only reading one local file?. [read://opt/log/crashlog/Jan27crash.txt]. [monitor::/ opt/log/crashlog/Jan27crash.txt]. [monitor:/// opt/log/]. [monitor:/// opt/log/ crashlog/Jan27crash.txt].

Which of the following is an acceptable channel value when using the HTTP Event Collector indexer acknowledgment capability?. GUID. DNS. Hash Checksum. IP Address.

What is the correct order of index time precedence? (For each of the following, highest precedence is shown at the top and lowest precedence is shown at the bottom). $SPLUNK_HOME/etc/system/default $SPLUNK_HOME/etc/system/local $SPLUNK_HOME/etc/users/<username>/<appname>/local $SPLUNK_HOME/etc/apps/<appname>/default $SPLUNK_HOME/etc/apps/<appname>/local. $SPLUNK_HOME/etc/users/<username>/<appname>/local $SPLUNK_HOME/etc/apps/<appname>/local $SPLUNK_HOME/etc/apps/<appname>/default $SPLUNK_HOME/etc/system/local $SPLUNK_HOME/etc/system/default. $SPLUNK_HOME/etc/users/<username>/<appname>/local (Highest) $SPLUNK_HOME/etc/system/default $SPLUNK_HOME/etc/apps/aaa/local $SPLUNK_HOME/etc/apps/zzz/default $SPLUNK_HOME/etc/system/local (Lowest of these listed). $SPLUNK_HOME/etc/apps/<appname>/default $SPLUNK_HOME/etc/apps/<appname>/local $SPLUNK_HOME/etc/users/<username>/<appname>/local $SPLUNK_HOME/etc/system/default $SPLUNK_HOME/etc/system/local.

Which of the following authentication types requires scripting in Splunk?. ADFS. LDAP. SAML. RADIUS.

Given a forwarder with the following outputs.conf configuration: [tcpout : mypartner] Server = 145.188.183.184:9097 [tcpout : hfbank] server = inputsl . mysplunkhfs . corp : 9997 , inputs2 . mysplunkhfs . corp : 9997 Which of thefollowing is a true statement?. Data will continue to flow to hfbank if 145.1 ga. 183.184 : 9097 is unreachable. Data is not encrypted to mypartner because 145.188 .183.184 : 9097 is specified by IP. Data is encrypted to mypartner because 145.183.184 : 9097 is specified by IP. Data will eventually stop flowing everywhere if 145.188.183.184 : 9097 is unreachable.

User role inheritance allows what to be inherited from the parent role? (select all that apply). Parents. Capabilities. Index access. Search history.

The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require multiple indexers. Following best practices, which types of Splunk component instances are needed?. Indexers, search head, universal forwarders, license master. Indexers, search head, deployment server, universal forwarders. Indexers, search head, deployment server, license master, universal forwarder. Indexers, search head, deployment server, license master, universal forwarder, heavy forwarder.

Which Splunk forwarder has a built-in license?. Light forwarder. Heavy forwarder. Universal forwarder. Cloud forwarder.

When should the Data Preview feature be used?. When extracting fields for ingested data. When previewing the data before searching. When reviewing data on the source host. When validating the parsing of data.

A log file contains 193 days worth of timestamped events. Which monitor stanza would be used to collect data 45 days old and newer from that log file?. followTail = -45d. ignore = 45d. includeNewerThan = -35d. ignoreOlderThan = 45d.

Which scenario is applicable given the stanzas in authentication.conf below? [authentication] externalTwoFactorAuthVendor = Duo externalTwoFactorAuthSettings = duoMFA [duoMFA] integrationKey = aGFwcHliaXJ0aGRheU1pZGR5 secretKey = YXVzdHJhaWxpYW5Gb3JHcmVw applicationKey = c3BsaW5raW5ndGhlcGx1bWJ1c3NpbmN1OTU apiHostname = 466993018.duosecurity.com failOpen = True timeout = 60. If Splunk cannot connect to the multifactor authentication provider, all logins will be denied. Multifactor authentication is required to log into the host operating system. The secretKey does not need to be protected since multifactor authentication is turned on. If Splunk cannot connect to the multifactor authentication provider, authentications will be successful without completing a multifactor challenge.vvvvvvv.

To set up a Network input in Splunk, what needs to be specified'?. File path. Username and password. Network protocol and port number. Network protocol and MAC address.

In a distributed environment, which Splunk component is used to distribute apps and configurations to the other Splunk instances?. Indexer. Deployer. Forwarder. Deployment server.

On the deployment server, administrators can map clients to server classes using client filters. Which of the following statements is accurate?. The blacklist takes precedence over the whitelist. The whitelist takes precedence over the blacklist. Wildcards are not supported in any client filters. Machine type filters are applied before the whitelist and blacklist.

Which of the following are required when defining an index in indexes. conf? (select all that apply). coldPath. homePath. frozenPath. thawedPath.

Social Security Numbers (PII) data is found in log events, which is against company policy. SSN format is as follows: 123-44-5678. Which configuration file and stanza pair will mask possible SSNs in the log events?. props.conf[mask-SSN]REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>#####-$2KEY = _raw. props.conf[mask-SSN]REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw. transforms.conf[mask-SSN]REX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw. transforms.conf[mask-SSN]REGEX = (?ms)^(.)\<[SSN>\d{3}-?\d{2}-?(\d{4}.*)$"FORMAT = $1<SSN>###-##-$2DEST_KEY = _raw.

Seven different network switches are sending traffic to a server hosting a Universal Forwarder. Three of the devices are sending TCP data and four of the devices are sending UDP data. What is the minimum number of input stanzas that must be created on the Universal Forwarder to successfully capture data from all seven sources?. One. Seven. Four. Two.

In which scenario would a Splunk Administrator want to enable data integrity check when creating an index?. To ensure that hot buckets are still open for writes and have not been forced to roll to a cold state. To ensure that configuration files have not been tampered with for auditing and/or legal purposes. To ensure that user passwords have not been tampered with for auditing and/or legal purposes. To ensure that data has not been tampered with for auditing and/or legal purposes.

Which of the following configuration files are used with a universal forwarder? (Choose all that apply.). inputs.conf. monitor.conf. outputs.conf. forwarder.conf.

In a customer managed Splunk Enterprise environment, what is the endpoint URI used to collect data?. services/ collector. services/ inputs ? raw. services/ data/ collector. data/ collector.

What are the values forhostandindexfor[stanza1]used by Splunk during index time, given the following configuration files? imagen. host=server1index=unixinfo. host=server1index=searchinfo. host=searchsvr1index=searchinfo. host=unixsvr1index=unixinfo.

What is the default purpose of a Splunk Deployment Server?. To stage and deploy updates to /etc/pcer-apps/. To stage and deploy updates to $SPLUNK_HOME/etc/apps/. To stage and deploy updates to /etc/manager-apps/. To stage and deploy updates to /etc/deployment-apps/.

During search time, which directory of configuration files has the highest precedence?. $SFLUNK_KOME/etc/system/local. $SPLUNK_KCME/etc/system/default. $SPLUNK_HCME/etc/apps/app1/local. $SPLUNK HCME/etc/users/admin/local.

Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?. splunk btool server list --debug. splunk list forward-indexer. splunk list forward-server. splunk btool indexes list --debug.

How can native authentication be disabled in Splunk?. Remove the $SPLUNK_HOME/etc/passwd file. Create an empty $SPLUNK_HOME/etc/passwd file. Set SPLUNK_AUTHENTICATION=false in splunk-launch.conf. Set nativeAuthentication=false in authentication.conf.

Which of the following is accurate regarding the input phase?. Breaks data into events with timestamps. Applies event-level transformations. Fine-tunes metadata. Performs character encoding.

What options are available when creating custom roles? (select all that apply). Restrict search terms. Whitelist search terms. Limit the number of concurrent search jobs. Allow or restrict indexes that can be searched.

Where should apps be located on the deployment server that the clients pull from?. $SFLUNK_KOME/etc/apps. $SPLUNK_HCME/etc/sear:ch. $SPLUNK_HCME/etc/master-apps. $SPLUNK HCME/etc/deployment-apps.

In which Splunk configuration is the SEDCMD used?. props, conf. inputs.conf. indexes.conf. transforms.conf.