Consultant Study PDF

Chat with Document Download

Document Details

Uploaded by Deleted User

Tags

Splunk Data Analysis Data Collection Consultant Study

Related

Summary

This document contains a series of questions and answers related to Splunk, a data collection and analysis software. It covers topics such as server identification, search efficiency, and migration strategies.

Full Transcript

-How does Monitoring Console (MC) initially identify the server role(s) of a new Splunk Instance? - - - - -A customer has asked for a five-node search head cluster (SHC), but does not have the storage budget to use a replication factor greater than 2. They would like to understand what mi...

-How does Monitoring Console (MC) initially identify the server role(s) of a new Splunk Instance? - - - - -A customer has asked for a five-node search head cluster (SHC), but does not have the storage budget to use a replication factor greater than 2. They would like to understand what might happen in terms of the users\' ability to view historic scheduled search results if they log onto a search head which doesn\'t contain one of the 2 copies of a given search artifact.\ Which of the following statements best describes what would happen in this scenario? - - - - -Monitoring Console (MC) health check configuration items are stored in which configuration file? - - - - -What should be considered when running the following CLI commands with a goal of accelerating an index cluster migration to new hardware? - - - - Which statement is true about subsearches? - - - - -A customer has been using Splunk for one year, utilizing a single/all-in-one instance. This single Splunk server is now struggling to cope with the daily ingest rate. Also, Splunk has become a vital system in day-to-day operations making high availability a consideration for the Splunk service. The customer is unsure how to design the new environment topology in order to provide this. Which resource would help the customer gather the requirements for their new architecture? - - - - -The customer has an indexer cluster supporting a wide variety of search needs, including scheduled search, data model acceleration, and summary indexing. Here is an excerpt from the cluster mater\'s server.conf: ![](media/image12.png) -Which strategy represents the minimum and least disruptive change necessary to protect the searchability of the indexer cluster in case of indexer failure? - - - - -What is the primary driver behind implementing indexer clustering in a customer\'s environment?\ A. To improve resiliency as the search load increases.\ B. To reduce indexing latency.\ C. To scale out a Splunk environment to offer higher performance capability.\ D. **To provide higher availability for buckets of data.\ [Page 44 SCI pdf]** -In a single indexer cluster, where should the Monitoring Console (MC) be installed? - - - - -A customer has downloaded the Splunk App for AWS from Splunkbase and installed it in a search head cluster following the instructions using the deployer. A power user modifies a dashboard in the app on one of the search head cluster members. The app containing an updated dashboard is upgraded to the latest version by following the instructions via the deployer.\ What happens? - - - - -A customer\'s deployment server is overwhelmed with forwarder connections after adding an additional 1000 clients. The default phone home interval is set to 60 seconds. To reduce the number of connection failures to the DS what is recommended? - - - - -Which of the following server.conf stanzas indicates the Indexer Discovery feature has not been fully configured (restart pending) on the Master Node? A. B. ![](media/image4.png) **C.** **← this one** D. ![](media/image8.png) -What is the Splunk PS recommendation when using the deployment server and building deployment apps? - - - - -Which of the following processor occur in the indexing pipeline? - - - - -Which configuration item should be set to false to significantly improve data ingestion performance? - - - - -A customer has a new set of hardware to replace their aging indexers. What method would reduce the amount of bucket replication operations during the migration process? - - - - -When a bucket rolls from cold to frozen on a clustered indexer, which of the following scenarios occurs? - - - - -A site from a multi-site indexer cluster needs to be decommissioned. Which of the following actions must be taken? - - - - -A customer wants to implement LDAP because managing local Splunk users is becoming too much of an overhead. What configuration details are needed from the customer to implement LDAP authentication? - - - - -A customer has a search cluster (SHC) of six members split evenly between two data centers (DC). The customer is concerned with network connectivity between the two DCs due to frequent outages. Which of the following is true as it relates to SHC resiliency when a network outage occurs between the two DCs? - - - - -A \[script://\] input sends data to a Splunk forwarder using which method? - - - - -A customer wants to understand how Splunk bucket types (hot, warm, cold) impact search performance within their environment. Their indexers have a single storage device for all data. What is the proper message to communicate to the customer? - - - - -An index receives approximately 50GB of data per day per indexer at an even and consistent rate. The customer would like to keep this data searchable for a minimum of 30 days. In addition, they have hourly scheduled searches that process a week\'s worth of data and are quite sensitive to search performance. Given ideal conditions (no restarts, nor drops/bursts in data volume), and following PS best practices, which of the following sets of indexes.conf settings can be leveraged to meet the requirements? - - - - -A customer has a Universal Forwarder (UF) with an inputs.conf monitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur? - - - - -The customer wants to migrate their current Splunk Index cluster to new hardware to improve indexing and search performance. What is the correct process and procedure for this task? - - - - -Consider the scenario where the /var/log directory contains the files secure, messages, cron, audit. A customer has created the following inputs.conf stanzas in the same Splunk app in order to attempt to monitor the files secure and messages: Which file(s) will actually be actively monitored? - - - - -A customer has written the following search: ![](media/image11.png) How can the search be rewritten to maximize efficiency? A. B. ![](media/image16.png) C. D. ![](media/image15.png)\ **[C]** -How could a role in which all users must specify an index=clause in all searches be configured? - - - - -In which of the following ?**[scenarios?]** should base configurations be used to provide consistent, repeatable, and supportable configurations? - - - - **[Single Select: D]** **[Multi Select: A & D]** -Data can be onboarded using apps, Splunk Web, or the CLI.\ Which is the PS preferred method? - - - - -Which of the following statements applies to indexer discovery? - - - - -The data in Splunk is now subject to auditing and compliance controls. A customer would like to ensure that at least one year of logs are retained for both Windows and Firewall events. What data retention controls must be configured? - - - - What happens when an index cluster peer freezes a bucket? - - - - A customer has the following Splunk instances within their environment: An indexer cluster consisting of a cluster master/master node and five clustered indexers, two search heads (no search head clustering), a deployment server, and a license master. The deployment server and license master are running on their own single-purpose instances. The customer would like to start using the Monitoring Console (MC) to monitor the whole environment. On the MC instance, which instances will need to be configured as distributed search peers by specifying them via the UI using the settings menu? - - - - -What does Splunk do when it indexes events? - - - - What is the default push mode for a search head cluster deployer app configuration bundle? - - - - In which of the following scenarios is a subsearch the most appropriate? - - - - -A customer has implemented their own Role Based Access Control (RBAC) model to attempt to give the Security team different data access than the Operations team by creating two new Splunk roles \"\" security and operations. In the srchIndexesAllowed setting of authorize.conf, they specified the network index under the security role and the operations index under the operations role. The new roles are set up to inherit the default user role.\ If a new user is created and assigned to the operations role only, which indexes will the user have access to search? - - - - -A customer would like Splunk to delete files after they\'ve been ingested. The Universal Forwarder has read/write access to the directory structure. Which input type would be most appropriate to use in order to ensure files are ingested and then deleted afterwards? - - - - -In which directory should base config app(s) be placed to initialize an indexer? - - - - -As a best practice, which of the following should be used to ingest data on clustered indexers? - - - - Because this is stating "**on clustered indexers**", the only inputs that should be on your indexers are splunktcp and HEC, making D the only correct option. -When adding a new search head to a search head cluster (SHC), which of the following scenarios occurs? - - - - -A customer wants to migrate from using Splunk local accounts to use Active Directory with LDAP for their Splunk user accounts instead. Which configuration files must be modified to connect to an Active Directory LDAP provider? - - - - -A customer has a number of inefficient regex replacement transforms being applied. When under heavy load the indexers are struggling to maintain the expected indexing rate. In a worst case scenario, which queue(s) would be expected to fill up? - - - - -A new single-site three indexer cluster is being stood up with replication\_factor:2, search\_factor:2. At which step would the Indexer Cluster be classed as \"˜Indexing Ready\' and be able to ingest new data? Step 1: Install and configure Cluster Master (CM)/Master Node with base clustering stanza settings, restarting CM. Step 2: Configure a base app in etc/master-apps on the CM to enable a splunktcp input on port 9997 and deploy index creation configurations. Step 3: Install and configure Indexer 1 so that once restarted, it contacts the CM, download the latest config bundle. Step 4: Indexer 1 restarts and has successfully joined the cluster. Step 5: Install and configure Indexer 2 so that once restarted, it contacts the CM, downloads the latest config bundle Step 6: Indexer 2 restarts and has successfully joined the cluster. Step 7: Install and configure Indexer 3 so that once restarted, it contacts the CM, downloads the latest config bundle. Step 8: Indexer 3 restarts and has successfully joined the cluster. - - - - -A new search head cluster is being implemented. Which is the correct command to initialize the deployer node without restarting the search head cluster peers? - - - - -What is required to setup the HTTP Event Collector (HEC)? - - - - -In the diagrammed environment shown below, the customer would like the data read by the universal forwarders to set an indexed field containing the UF\'s host name.\ Where would the parsing configurations need to be installed for this to work? - - - - -Report acceleration has been enabled for a specific use case. In which bucket location is the corresponding CSV file located? - - - - -Which command is most efficient in finding the pass4SymmKey of an index cluster? - - - - Where does the bloomfilter reside? - - - - -A customer is having issues with truncated events greater than 64K. What configuration should be deployed to a universal forwarder (UF) to fix the issue? - - - - -A customer has a network device that transmits logs directly with UDP or TCP over SSL. Using PS best practices, which ingestion method should be used? - - - - -As data enters the indexer, it proceeds through a pipeline where event processing occurs. In which pipeline does line breaking occur? - - - - -A customer has a multisite cluster (two sites, each site in its own data center) and users experiencing a slow response when searches are run on search heads located in either site. The Search Job Inspector shows the delay is being caused by search heads on either site waiting for results to be returned by indexers on the opposing site. The network team has confirmed that there is limited bandwidth available between the two data centers, which are in different geographic locations. Which of the following would be the [least expensive and easiest way] to improve search performance? - - - - -A customer is using regex to whitelist access logs and secure logs from a web server, but only the access logs are being ingested. Which troubleshooting resource would provide insight into why the secure logs are not being ingested? - - - - -A customer with a large distributed environment has blacklisted a large lookup from the search bundle to decrease the bundle size using distsearch.conf. After this change, when running searches utilizing the lookup that was blacklisted they see error messages in the Splunk Search UI stating the lookup file does not exist. What can the customer do to resolve the issue? - - - - -In preparation for the deployment of a new environment for a customer, which of the following mappings are correct per PS best practices? A. ![](media/image19.png) B. C. ![](media/image22.png) D. **[SCI pdf pg. 137]** -Which of the following statements is true, as it pertains to search head clustering (SHC)? - - - - -Where are Splunk Data Model Acceleration (DMA) summaries stored? - - - - -When can the Search Job Inspector be used to debug searches? - - - - -A Splunk Index cluster is being installed and the indexers need to be configured with a license master. After the customer provides the name of the license master, what is the next step? - - - - A customer has three users and is planning to ingest 250GB of data per day. They are concerned with search uptime, can tolerate up to a two-hour downtime for the search tier, and want advice on single search head versus a search head cluster. (SHC). Which recommendation is the most appropriate? - - - - -Which of the following is the most efficient search? - - - - -Consider the search shown below. ![](media/image7.png) What is this search\'s intended function? - - - - Subsearch creates a 4 hour window: Searches firewall index for high sev denies. Gets most recent timestamp of all (1 timestamp). Creates earliest field as 2hours before (rounded down to nearest hour) and latest field as 2hours after (rounded down to nearest hour) the most recent timestamp. For example, if most recent timestamp was 6:30pm: earliest=4pm & latest = 8pm -When setting up a multisite search head and indexer cluster, which nodes are required to declare site membership? - - - - -A customer is using both internal Splunk authentication and LDAP for user management. If a username exists in both \$SPLUNK\_HOME/etc/passwd and LDAP, which of the following statements is accurate? - - - - -When utilizing a subsearch within a Splunk SPL search query, which of the following statements is accurate? - - - - -A customer is migrating their existing Splunk Indexer from an old set of hardware to a new set of indexers. What is the earliest method to migrate the system? - - - - -When using SAML, where does user authentication occur? - - - - -Which of the following server roles should be configured for a host which indexes its internal logs locally? - - - - -The Splunk Validated Architectures (SVAs) document provides a series of approved Splunk topologies. Which statement accurately describes how it should be used by a customer? - - - - -In a large cloud customer environment with many (\>100) dynamically created endpoint systems, each with a UF already deployed, what is the best approach for associating these systems with an appropriate serverclass on the deployment server? - - - - -Which of the following is the most efficient search? A. B. ![](media/image17.png) C. D. ![](media/image3.png)**[C is correct]** -A customer has 30 indexers in an indexer cluster configuration and two search heads. They are working on writing SPL search for a particular use-case, but are concerned that it takes too long to run for short time durations. How can the Search Job Inspector capabilities be used to help validate and understand the customer concerns? - - - - -A customer would like to remove the output\_file capability from users with the default user role to stop them from filling up the disk on the search head with lookup files. What is the best way to remove this capability from users? - - - - -A working search head cluster has been set up and used for 6 months with just the native/local Splunk user authentication method. In order to integrate the search heads with an external Active Directory server using LDAP, which of the following statements represents the most appropriate method to deploy the configuration to the servers? - - - - -In an environment that has Indexer Clustering, the Monitoring Console (MC) provides dashboards to monitor environment health. As the environment grows over time and new indexers are added, which steps would ensure the MC is aware of the additional indexers? - - - - -In addition to the normal responsibilities of a search head cluster captain, which of the following is a default behavior? - - - - -What happens to the indexer cluster when the indexer Cluster Master (CM) runs out of disk space? - - - - -Which event processing pipeline contains the regex replacement processor that would be called upon to run event masking routines on events as they are ingested? - - - - -Which statement is correct? - - - - -A non-ES customer has a concern about data availability during a disaster recovery event. Which of the following Splunk Validated Architectures (SVAs) would be recommended for that use case? - - - - -The universal forwarder (UF) should be used whenever possible, as it is smaller and more efficient. In which of the following scenarios would a heavy forwarder (HF) be a more appropriate choice? - - - - -When monitoring and forwarding events collected from a file containing unstructured textual events, what is the difference in the Splunk2Splunk payload traffic sent between a universal forwarder (UF) and indexer compared to the Splunk2Splunk payload sent between a heavy forwarder (HF) and the indexer layer?\ (Assume that the file is being monitored locally on the forwarder.) - - - -

Use Quizgecko on...
Browser
Open
Browser
Browser