What is the Splunk PS recommendation when using the deployment server and building deployment apps?

A. Carefully design smaller apps with specific configuration that can be reused.

B. Only deploy Splunk PS base configurations via the deployment server.

C. Use $SPLUNK_HOME/etc/system/local configurations on forwarders and only deploy TAs via the deployment server.

D. Carefully design bigger apps containing multiple configs.

A [script://] input sends data to a Splunk forwarder using which method?

A. UDP stream

B. TCP stream

C. Temporary file

D. STDOUT/STDERR

An index receives approximately 50GB of data per day per indexer at an even and consistent rate. The customer would like to keep this data searchable for a minimum of 30 days. In addition, they have hourly scheduled searches that process a week's worth of data and are quite sensitive to search performance.

Given ideal conditions (no restarts, nor drops/bursts in data volume), and following PS best practices, which of the following sets of indexes.conf settings can be leveraged to meet the requirements?

A. frozenTimePeriodInSecs, maxDataSize, maxVolumeDataSizeMB, maxHotBuckets

B. maxDataSize, maxTotalDataSizeMB, maxHotBuckets, maxGlobalDataSizeMB

C. maxDataSize, frozenTimePeriodInSecs, maxVolumeDataSizeMB

D. frozenTimePeriodInSecs, maxWarmDBCount, homePath.maxDataSizeMB, maxHotSpanSecs

A customer has a Universal Forwarder (UF) with an inputs.conf monitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?

A. Indexer

B. Universal forwarder

C. Search head

D. Heavy forwarder

The customer wants to migrate their current Splunk Index cluster to new hardware to improve indexing and search performance. What is the correct process and procedure for this task?

A. 1. Install new indexers.

2.

Configure indexers into the cluster as peers; ensure they receive the same configuration via the deployment server.

3.

Decommission old peers one at a time.

4.

Remove old peers from the CM's list.

5.

Update forwarders to forward to the new peers.

B. 1. Install new indexers.

2.

Configure indexers into the cluster as peers; ensure they receive the cluster bundle and the same configuration as original peers.

3.

Decommission old peers one at a time.

4.

Remove old peers from the CM's list.

5.

Update forwarders to forward to the new peers.

C. 1. Install new indexers.

2.

Configure indexers into the cluster as peers; ensure they receive the same configuration via the deployment server.

3.

Update forwarders to forward to the new peers.

4.

Decommission old peers on at a time.

5.

Restart the cluster master (CM).

D. 1. Install new indexers.

2.

Configure indexers into the cluster as peers; ensure they receive the cluster bundle and the same configuration as original peers.

3.

Update forwarders to forward to the new peers.

4.

Decommission old peers one at a time.

5.

Remove old peers from the CM's list.

A customer with a large distributed environment has blacklisted a large lookup from the search bundle to decrease the bundle size using distsearch.conf. After this change, when running searches utilizing the lookup that was blacklisted they see error messages in the Splunk Search UI stating the lookup file does not exist.

What can the customer do to resolve the issue?

A. The search needs to be modified to ensure the lookup command specifies parameter local=true.

B. The blacklisted lookup definition stanza needs to be modified to specify setting allow_caching=true.

C. The search needs to be modified to ensure the lookup command specified parameter blacklist=false.

D. The lookup cannot be blacklisted; the change must be reverted.

A customer has three users and is planning to ingest 250GB of data per day. They are concerned with search uptime, can tolerate up to a two-hour downtime for the search tier, and want advice on single search head versus a search head cluster. (SHC).

Which recommendation is the most appropriate?

A. The customer should deploy two active search heads behind a load balancer to support HA.

B. The customer should deploy a SHC with a single member for HA; more members can be added later.

C. The customer should deploy a SHC, because it will be required to support the high volume of data.

D. The customer should deploy a single search head with a warm standby search head and an rsync process to synchronize configurations.

Consider the search shown below.

What is this search's intended function?

A. To return all the web_log events from the web index that occur two hours before and after the most recent high severity, denied event found in the firewall index.

B. To find all the denied, high severity events in the firewall index, and use those events to further search for lateral movement within the web index.

C. To return all the web_log events from the web index that occur two hours before and after all high severity, denied events found in the firewall index.

D. To search the firewall index for web logs that have been denied and are of high severity.

In addition to the normal responsibilities of a search head cluster captain, which of the following is a default behavior?

A. The captain is not a cluster member and does not perform normal search activities.

B. The captain is a cluster member who performs normal search activities.

C. The captain is not a cluster member but does perform normal search activities.

D. The captain is a cluster member but does not perform normal search activities.

Which event processing pipeline contains the regex replacement processor that would be called upon to run event masking routines on events as they are ingested?

A. Merging pipeline

B. Indexing pipeline

C. Typing pipeline

D. Parsing pipeline