Which Splunk component consolidates the individual results and prepares reports in a distributed environment?
A. Indexers
B. Forwarder
C. Search head
D. Search peers
"From the user standpoint, specifying and running a distributed search is essentially the same as running any other search. Behind the scenes, the search head distributes the query to its search peers, and consolidates the results when presenting them to the user."
What are the minimum required settings when creating a network input in Splunk?
A. Protocol, port number
B. Protocol, port, location
C. Protocol, username, port
D. Protocol, IP. port number
[tcp://
*Configures the input to listen on a specific TCP network port.
*If a
*If you do not specify
*Generates events with source set to "tcp:
*If you do not specify a sourcetype, generates events with sourcetype set to "tcp-raw"
Which Splunk component requires a Forwarder license?
A. Search head
B. Heavy forwarder
C. Heaviest forwarder
D. Universal forwarder
The following stanza is active in indexes.conf:
[cat_facts]
maxHotSpanSecs = 3600
frozenTimePeriodInSecs = 2630000
maxTota1DataSizeMB = 650000
All other related indexes.conf settings are default values.
If the event timestamp was 3739283 seconds ago, will it be searchable?
A. Yes, only if the bucket is still hot.
B. No, because the index will have exceeded its maximum size.
C. Yes, only if the index size is also below 650000 MB.
D. No, because the event time is greater than the retention time.
Explanation: The correct answer is D. No, because the event time is greater than the
retention time.
According to the Splunk documentation1, the frozenTimePeriodInSecs setting in
indexes.conf determines how long Splunk software retains indexed data before deleting it
or archiving it to a remote storage. The default value is 188697600 seconds, which is
equivalent to six years. The setting can be overridden on a per-index basis.
In this case, the cat_facts index has a frozenTimePeriodInSecs setting of 2630000
seconds, which is equivalent to about 30 days. This means that any event that is older than
30 days from the current time will be removed from the index and will not be searchable.
The event timestamp was 3739283 seconds ago, which is equivalent to about 43 days.
This means that the event is older than the retention time of the cat_facts index and will not
be searchable.
The other settings in the stanza, such as maxHotSpanSecs and maxTota1DataSizeMB, do
not affect the retention time of the events. They only affect the size and duration of the
buckets that store the events.
What happens when the same username exists in Splunk as well as through LDAP?
A. Splunk user is automatically deleted from authentication.conf.
B. LDAP settings take precedence
C. Splunk settings take precedence.
D. LDAP user is automatically deleted from authentication.conf
Splunk platform attempts native authentication first. If authentication fails outside of a local account that doesn't exist, there is no attempt to use LDAP to log in. This is adapted from precedence of Splunk authentication schema.
Which is a valid stanza for a network input?
A. [udp://172.16.10.1:9997]
connection = dns
sourcetype = dns
B. [any://172.16.10.1:10001]
connection_host = ip
sourcetype = web
C. [tcp://172.16.10.1:9997]
connection_host = web
sourcetype = web
D. [tcp://172.16.10.1:10001]
connection_host = dns
sourcetype = dns
| Page 4 out of 31 Pages |
| Previous |
Contact Us - Privacy Policy ... Copyright © - All Rights Reserved