Splunk SPLK-1005 Practice Test - Questions Answers, Page 8
Question list
List of questions
Related questions
Which of the following is a valid method to test if a forwarder can successfully send data to Splunk Cloud?
Search the _audit index to confirm whether the forwarder ID was registered.
Use oneshot from the CLI on the forwarders, then check to see if those logs show up in the Splunk Cloud environment.
On Splunk Cloud UI, click Add Data and upload a test file, then search to see if the logs show up.
Ping the inputssl.example.splunkcloud.com to see if it returns the ping.
Which of the following statements is true regarding sedcmd?
SEDCMD can be defined in either props.conf or transforms.conf.
SEDCMD does not work on Windows-based installations of Splunk.
SEDCMD uses the same syntax as Splunk's replace command.
SEDCMD provides search and replace functionality using regular expressions and substitutions.
How is it possible to test a script from the Splunk perspective before using it within a scripted input?
splunk run <scriptname>
splunk script <scriptname>
./$SPLUNK_HOME/etc/apps/<app>/bin/<scriptname>
splunk cmd <scriptname>
What two files are used in the data transformation process?
parsing.conf and transforms.conf
props.conf and transforms.conf
transforms.conf and fields.conf
transforms.conf and sourcetypes.conf
Where can an administrator download the Splunk Cloud Universal Forwarder credentials package?
Splunk Support.
Cloud Monitoring Console forwarder drop-down.
Universal Forwarder app in the Splunk Cloud search head.
Splunkbase.
When creating a new index, which of the following is true about archiving expired events?
Store expired events in private AWS-based storage.
Expired events cannot be archived.
Archive some expired events from an index and discard others.
Store expired events on-prem using your own storage systems.
Due to internal security policies, a Splunk Cloud administrator cannot send data directly to Splunk Cloud from certain data sources. Additional parsing and API-based data sources also need to be sent to Splunk Cloud. What forwarder type should the Splunk Cloud administrator use to satisfy these requirements within their environment?
Syslog-ng server with a universal forwarder
Light forwarder as an intermediate forwarder
Heavy forwarder as an intermediate forwarder
Universal forwarder as an intermediate forwarder
Configuration folders named default contain configuration files/settings specified in the Splunk product or default settings specified in apps. Which of the following is recommended to override these settings?
It does not matter whether setting overrides are placed in default or local folders. Both are equally acceptable since Splunk will merge all the files together into one runtime model after each restart.
Any settings to be overridden should be modified in-place wherever the setting was found originally. For example, if overriding a setting originally found in system/default, it should be overridden there to ensure that the desired value is used by Splunk.
Overrides should be placed in a folder named local, ideally within a custom Splunk app. This ensures the overrides are preserved upon product or app upgrade and will also be easier to maintain/support.
Try to store all configuration overrides in system/local folder to keep all configurations in one place. This ensures the modification has the highest precedence over all other configuration entries.
What information is identified during the input phase of the ingestion process?
Line breaking and timestamp.
A hash of the message payload.
Metadata fields like sourcetype and host.
SRC and DST IP addresses and ports.
Given the following set of files, which of the monitor stanzas below will result in Splunk monitoring all of the files ending with .log?
Files:
/var/log/www1/secure.log
/var/log/www1/access.log
/var/log/www2/logs/secure.log
/var/log/www2/access.log
/var/log/www2/access.log.1
[monitor:///var/log/*/*.log]
[monitor:///var/log/.../*.log]
[monitor:///var/log/*/*]
[monitor:///var/log/.../*]
Question