March Sale Special Limited Time Flat 70% Discount offer - Ends in 0d 00h 00m 00s - Coupon code: 70spcl

Splunk SPLK-3003 Splunk Core Certified Consultant Exam Practice Test

Page: 1 / 9
Total 85 questions

Splunk Core Certified Consultant Questions and Answers

Question 1

Which event processing pipeline contains the regex replacement processor that would be called upon to run event masking routines on events as they are ingested?

Options:

A.

Merging pipeline

B.

Indexing pipeline

C.

Typing pipeline

D.

Parsing pipeline

Question 2

A customer with a large distributed environment has blacklisted a large lookup from the search bundle to decrease the bundle size using distsearch.conf. After this change, when running searches utilizing the lookup that was blacklisted they see error messages in the Splunk Search UI stating the lookup file does not exist.

What can the customer do to resolve the issue?

Options:

A.

The search needs to be modified to ensure the lookup command specifies parameter local=true.

B.

The blacklisted lookup definition stanza needs to be modified to specify setting allow_caching=true.

C.

The search needs to be modified to ensure the lookup command specified parameter

blacklist=false.

D.

The lookup cannot be blacklisted; the change must be reverted.

Question 3

Report acceleration has been enabled for a specific use case. In which bucket location is the corresponding CSV file located?

Options:

A.

thawedPath

B.

summaryHomePath

C.

tstatsHomePath

D.

homePath, coldPath

Question 4

The Splunk Validated Architectures (SVAs) document provides a series of approved Splunk topologies. Which statement accurately describes how it should be used by a customer?

Options:

A.

Customer should look at the category tables, pick the highest number that their budget permits, then select this design topology as the chosen design.

B.

Customers should identify their requirements, provisionally choose an approved design that meets them, then consider design principles and best practices to come to an informed design decision.

C.

Using the guided requirements gathering in the SVAs document, choose a topology that suits requirements, and be sure not to deviate from the specified design.

D.

Choose an SVA topology code that includes Search Head and Indexer Clustering because it offers the highest level of resilience.

Question 5

A customer is using regex to whitelist access logs and secure logs from a web server, but only the access logs are being ingested. Which troubleshooting resource would provide insight into why the secure logs are not being ingested?

Options:

A.

list monitor

B.

oneshot

C.

btprobe

D.

tailingprocessor

Question 6

What happens when an index cluster peer freezes a bucket?

Options:

A.

All indexers with a copy of the bucket will delete it.

B.

The cluster master will ensure another copy of the bucket is made on the other peers to meet the replication settings.

C.

The cluster master will no longer perform fix-up activities for the bucket.

D.

All indexers with a copy of the bucket will immediately roll it to frozen.

Question 7

Where are Splunk Data Model Acceleration (DMA) summaries stored?

Options:

A.

In tstatsHomePath

B.

In the .tsidx files.

C.

In summaryHomePath

D.

In journal.gz

Question 8

In a large cloud customer environment with many (>100) dynamically created endpoint systems, each with a UF already deployed, what is the best approach for associating these systems with an appropriate serverclass on the deployment server?

Options:

A.

Work with the cloud orchestration team to create a common host-naming convention for these systems so a simple pattern can be used in the serverclass.conf whitelist attribute.

B.

Create a CSV lookup file for each severclass, manually keep track of the endpoints within this CSV file, and leverage the whitelist.from_pathname attribute in serverclass.conf.

C.

Work with the cloud orchestration team to dynamically insert an appropriate clientName setting into each endpoint’s local/deploymentclient.conf which can be matched by whitelist in serverclass.conf.

D.

Using an installation bootstrap script run a CLI command to assign a clientName setting and permit

serverclass.conf whitelist simplification.

Question 9

A customer has asked for a five-node search head cluster (SHC), but does not have the storage budget to use a replication factor greater than 2. They would like to understand what might happen in terms of the users’ ability to view historic scheduled search results if they log onto a search head which doesn’t contain one of the 2 copies of a given search artifact.

Which of the following statements best describes what would happen in this scenario?

Options:

A.

The search head that the user has logged onto will proxy the required artifact over to itself from a search head that currently holds a copy. A copy will also be replicated from that search head permanently, so it is available for future use.

B.

Because the dispatch folder containing the search results is not present on the search head, the user will not be able to view the search results.

C.

The user will not be able to see the results of the search until one of the search heads is restarted, forcing synchronization of all dispatched artifacts across all search heads.

D.

The user will not be able to see the results of the search until the Splunk administrator issues the apply shcluster-bundle command on the search head deployer, forcing synchronization of all dispatched artifacts across all search heads.

Question 10

The customer has an indexer cluster supporting a wide variety of search needs, including scheduled search, data model acceleration, and summary indexing. Here is an excerpt from the cluster mater’s server.conf:

Question # 10

Which strategy represents the minimum and least disruptive change necessary to protect the searchability of the indexer cluster in case of indexer failure?

Options:

A.

Enable maintenance mode on the CM to prevent excessive fix-up and bring the failed indexer back online.

B.

Leave replication_factor=2, increase search_factor=2 and enable summary_replication.

C.

Convert the cluster to multi-site and modify the server.conf to be site_replication_factor=2, site_search_factor=2.

D.

Increase replication_factor=3, search_factor=2 to protect the data, and allow there to always be a searchable copy.

Question 11

A customer would like to remove the output_file capability from users with the default user role to stop them from filling up the disk on the search head with lookup files. What is the best way to remove this capability from users?

Options:

A.

Create a new role without the output_file capability that inherits the default user role and assign it to the users.

B.

Create a new role with the output_file capability that inherits the default user role and assign it to the users.

C.

Edit the default user role and remove the output_file capability.

D.

Clone the default user role, remove the output_file capability, and assign it to the users.

Question 12

A customer wants to understand how Splunk bucket types (hot, warm, cold) impact search performance within their environment. Their indexers have a single storage device for all data. What is the proper message to communicate to the customer?

Options:

A.

The bucket types (hot, warm, or cold) have the same search performance characteristics within the customer’s environment.

B.

While hot, warm, and cold buckets have the same search performance characteristics within the customers environment, due to their optimized structure, the thawed buckets are the most performant.

C.

Searching hot and warm buckets result in best performance because by default the cold buckets are miniaturized by removing TSIDX files to save on storage cost.

D.

Because the cold buckets are written to a cheaper/slower storage volume, they will be slower to search compared to hot and warm buckets which are written to Solid State Disk (SSD).

Page: 1 / 9
Total 85 questions