Question No : 1
How do you remove missing forwarders from the Monitoring Console?

• A.By restarting Splunk.
• B.By rescanning active forwarders.
• C.By reloading the deployment server.
• D.By rebuilding the forwarder asset table.

Show Answers

Answer:

Question No : 2
Which Splunk component requires a Forwarder license?

• A.Search head
• B.Heavy forwarder
• C.Heaviest forwarder
• D.Universal forwarder

Show Answers

Answer:

Question No : 3
Using the CLI on the forwarder, how could the current forwarder to indexer configuration be viewed?

• A.splunk btool server list --debug
• B.splunk list forward-indexer
• C.splunk list forward-server
• D.splunk btool indexes list --debug

Show Answers

Answer:
Explanation:
Reference: https://community.splunk.com/t5/All-Apps-and-Add-ons/How-do-I-configure-a-Splunk-Forwarder-on-Linux/m-p/72078

Question No : 4
Which additional component is required for a search head cluster?

• A.Deployer
• B.Cluster Master
• C.Monitoring Console
• D.Management Console

Show Answers

Answer:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/SHCdeploymentoverview
The deployer. This is a Splunk Enterprise instance that distributes apps and other configurations to the cluster members. It stands outside the cluster and cannot run on the same instance as a cluster member. It can, however, under some circumstances, reside on the same instance as other Splunk Enterprise components, such as a deployment server or an indexer cluster master node.

Question No : 5
Which of the following are reasons to create separate indexes? (Choose all that apply.)

• A.Different retention times.
• B.Increase number of users.
• C.Restrict user permissions.
• D.File organization.

Show Answers

Answer:
Explanation:
Reference: https://community.splunk.com/t5/Getting-Data-In/Why-does-Splunk-have-multiple-indexes/m-p/12063

Question No : 6
When are knowledge bundles distributed to search peers?

• A.After a user logs in.
• B.When Splunk is restarted.
• C.When adding a new search peer.
• D.When a distributed search is initiated.

Show Answers

Answer:
Explanation:
"The search head replicates the knowledge bundle periodically in the background or when initiating a search. " "As part of the distributed search process, the search head replicates and distributes its knowledge objects to its search peers, or indexers. Knowledge objects include saved searches, event types, and other entities used in searching accorss indexes. The search head needs to distribute this material to its search peers so that they can properly execute queries on its behalf."
Reference: https://docs.splunk.com/Documentation/Splunk/8.0.5/DistSearch/Whatsearchheadssend

Question No : 7
Which artifact is required in the request header when creating an HTTP event?

• A.Token
• B.Manifest
• C.Host name

Show Answers

Answer:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/8.2.3/Data/FormateventsforHTTPEventCollector