Black Friday / Cyber Monday Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Splunk SPLK-3003 Splunk Core Certified Consultant Exam Practice Test

Page: 1 / 9
Total 85 questions

Splunk Core Certified Consultant Questions and Answers

Question 1

When a bucket rolls from cold to frozen on a clustered indexer, which of the following scenarios occurs?

Options:

A.

All replicated copies will be rolled to frozen; original copies will remain.

B.

Replicated copies of the bucket will remain on all other indexers and the Cluster Master (CM) assigns a new primary bucket.

C.

The bucket rolls to frozen on all clustered indexers simultaneously.

D.

Nothing. Replicated copies of the bucket will remain on all other indexers until a local retention rule causes it to roll.

Question 2

When using SAML, where does user authentication occur?

Options:

A.

Splunk generates a SAML assertion that authenticates the user.

B.

The Service Provider (SP) decodes the SAML request and authenticates the user.

C.

The Identity Provider (IDP) decodes the SAML request and authenticates the user.

D.

The Service Provider (SP) generates a SAML assertion that authenticates the user.

Question 3

A customer has asked for a five-node search head cluster (SHC), but does not have the storage budget to use a replication factor greater than 2. They would like to understand what might happen in terms of the users’ ability to view historic scheduled search results if they log onto a search head which doesn’t contain one of the 2 copies of a given search artifact.

Which of the following statements best describes what would happen in this scenario?

Options:

A.

The search head that the user has logged onto will proxy the required artifact over to itself from a search head that currently holds a copy. A copy will also be replicated from that search head permanently, so it is available for future use.

B.

Because the dispatch folder containing the search results is not present on the search head, the user will not be able to view the search results.

C.

The user will not be able to see the results of the search until one of the search heads is restarted, forcing synchronization of all dispatched artifacts across all search heads.

D.

The user will not be able to see the results of the search until the Splunk administrator issues the apply shcluster-bundle command on the search head deployer, forcing synchronization of all dispatched artifacts across all search heads.

Question 4

Which command is most efficient in finding the pass4SymmKey of an index cluster?

Options:

A.

find / -name server.conf –print | grep pass4SymKey

B.

$SPLUNK_HOME/bin/splunk search | rest splunk_server=local /servicesNS/-/ unhash_app/storage/passwords

C.

$SPLUNK_HOME/bin/splunk btool server list clustering | grep pass4SymmKey

D.

$SPLUNK_HOME/bin/splunk btool clustering list clustering --debug | grep

pass4SymmKey

Question 5

The universal forwarder (UF) should be used whenever possible, as it is smaller and more efficient. In which of the following scenarios would a heavy forwarder (HF) be a more appropriate choice?

Options:

A.

When a predictable version of Python is required.

B.

When filtering 10%–15% of incoming events.

C.

When monitoring a log file.

D.

When running a script.

Question 6

When can the Search Job Inspector be used to debug searches?

Options:

A.

If the search has not expired.

B.

If the search is currently running.

C.

If the search has been queued.

D.

If the search has expired.

Question 7

Which of the following is the most efficient search?

Options:

A.

index=www status=200 uri=/cart/checkout | append [search index = sales] | stats count, sum(revenue) as total_revenue by session_id | table total_revenue session_id

B.

(index=www status=200 uri=/cart/checkout) OR (index=sales) | stats count, sum (revenue) as total_revenue by session_id | table total_revenue session_id

C.

index=www | append [search index = sales] | stats count, sum(revenue) as total_revenue by session_id | table total_revenue session_id

D.

(index=www) OR (index=sales) | search (index=www status=200 uri=/cart/checkout) OR (index=sales) | stats count, sum(revenue) as total_revenue by session_id | table total_revenue session_id

Question 8

A customer has a Universal Forwarder (UF) with an inputs.conf monitoring its splunkd.log. The data is sent through a heavy forwarder to an indexer. Where does the Index time parsing occur?

Options:

A.

Indexer

B.

Universal forwarder

C.

Search head

D.

Heavy forwarder

Question 9

The customer wants to migrate their current Splunk Index cluster to new hardware to improve indexing and search performance. What is the correct process and procedure for this task?

Options:

A.

1. Install new indexers.

2.Configure indexers into the cluster as peers; ensure they receive the same configuration via the deployment server.

3.Decommission old peers one at a time.

4.Remove old peers from the CM’s list.

5.Update forwarders to forward to the new peers.

B.

1. Install new indexers.

2.Configure indexers into the cluster as peers; ensure they receive the cluster bundle and the same configuration as original peers.

3.Decommission old peers one at a time.

4.Remove old peers from the CM’s list.

5.Update forwarders to forward to the new peers.

C.

1. Install new indexers.

2.Configure indexers into the cluster as peers; ensure they receive the same configuration via the deployment server.

3.Update forwarders to forward to the new peers.

4.Decommission old peers on at a time.

5.Restart the cluster master (CM).

D.

1. Install new indexers.

2.Configure indexers into the cluster as peers; ensure they receive the cluster bundle and the same configuration as original peers.

3.Update forwarders to forward to the new peers.

4.Decommission old peers one at a time.

5.Remove old peers from the CM’s list.

Question 10

A non-ES customer has a concern about data availability during a disaster recovery event. Which of the following Splunk Validated Architectures (SVAs) would be recommended for that use case?

Options:

A.

Topology Category Code: M4

B.

Topology Category Code: M14

C.

Topology Category Code: C13

D.

Topology Category Code: C3

Question 11

In which of the following scenarios should base configurations be used to provide consistent, repeatable, and supportable configurations?

Options:

A.

For non-production environments to keep their configurations in sync.

B.

To ensure every customer has exactly the same base settings.

C.

To provide settings that do not need to be customized to meet customer requirements.

D.

To provide settings that can be customized to meet customer requirements.

Question 12

Which of the following processor occur in the indexing pipeline?

Options:

A.

tcp out, syslog out

B.

Regex replacement, annotator

C.

Aggregator

D.

UTF-8, linebreaker, header

Page: 1 / 9
Total 85 questions