Question No : 1
What log file would you search to verify if you suspect there is a problem interpreting a regular expression in a monitor stanza?

• A.btool.log
• B.metrics.log
• C.splunkd.log
• D.tailing_processor.log

Show Answers

Answer:
Explanation:
Reference: https://answers.splunk.com/answers/479312/how-to-edit-inputsconf-to-monitor-multiple-files-w­1.html

Question No : 2
How does the average run time of all searches relate to the available CPU cores on the indexers?

• A.Average run time is independent of the number of CPU cores on the indexers.
• B.Average run time decreases as the number of CPU cores on the indexers decreases.
• C.Average run time increases as the number of CPU cores on the indexers decreases.
• D.Average run time increases as the number of CPU cores on the indexers increases.

Show Answers

Answer:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/Capacity/Accommodatemanysimultaneoussearches

Question No : 3
To optimize the distribution of primary buckets; when does primary rebalancing automatically occur? (Select all that apply.)

• A.Rolling restart completes.
• B.Master node rejoins the cluster.
• C.Captain joins or rejoins cluster.
• D.A peer node joins or rejoins the cluster.

Show Answers

Answer:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/Indexer/Rebalancethecluster

Question No : 4
A customer plans to ingest 600 GB of data per day into Splunk. They will have six concurrent users, and they also want high data availability and high search performance. The customer is concerned about cost and wants to spend the minimum amount on the hardware for Splunk.
How many indexers are recommended for this deployment?

• A.Two indexers not in a cluster, assuming users run many long searches.
• B.Three indexers not in a cluster, assuming a long data retention period.
• C.Two indexers clustered, assuming high availability is the greatest priority.
• D.Two indexers clustered, assuming a high volume of saved/scheduled searches.

Show Answers

Answer:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/Capacity/Summaryofperformancerecommendations

Question No : 5
Before users can use a KV store, an admin must create a collection. Where is a collection is defined?

• A.kvstore.conf
• B.collection.conf
• C.collections.conf
• D.kvcollections.conf

Show Answers

Answer:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/Knowledge/DefineaKVStorelookupinSplunkWeb

Question No : 6
A three-node search head cluster is skipping a large number of searches across time.
What should be done to increase scheduled search capacity on the search head cluster?

• A.Create a job server on the cluster.
• B.Add another search head to the cluster.
• C.server.conf captain_is_adhoc_searchhead = true.
• D.Change limits.conf value for max_searches_per_cpu to a higher value.

Show Answers

Answer:

Question No : 7
Which of the following are client filters available in serverclass.conf? (Select all that apply.)

• A.DNS name.
• B.IP address.
• C.Splunk server role.
• D.Platform (machine type).

Show Answers

Answer:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.1/Updating/Filterclients#Define_filters_through_serverclass.conf

Question No : 8
Which search will show all deployment client messages from the client (UF)?

• A.index=_audit component=DC* host=<ds> | stats count by message
• B.index=_audit component=DC* host=<uf> | stats count by message
• C.index=_internal component= DC* host=<uf> | stats count by message
• D.index=_internal component=DS* host=<ds> | stats count by message

Show Answers

Answer:

Question No : 9
When should multiple search pipelines be enabled?

• A.Only if disk IOPS is at 800 or better.
• B.Only if there are fewer than twelve concurrent users.
• C.Only if running Splunk Enterprise version 6.6 or later.
• D.Only if CPU and memory resources are significantly under-utilized.

Show Answers

Answer:
Explanation:
Reference: https://answers.splunk.com/answers/617608/can-we-increase-parallelingestionpipelines-in-a­he.html

Question No : 10
Configurations from the deployer are merged into which location on the search head cluster member?

• A.SPLUNK_HOME/etc/system/local
• B.SPLUNK_HOME/etc/apps/APP_HOME/local
• C.SPLUNK_HOME/etc/apps/search/default
• D.SPLUNK_HOME/etc/apps/APP_HOME/default

Show Answers

Answer:
Explanation:
Reference: https://docs.splunk.com/Documentation/Splunk/7.3.2/DistSearch/PropagateSHCconfigurationchanges