New Year Special Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: 70special

Splunk SPLK-3003 Splunk Core Certified Consultant Exam Practice Test

Page: 1 / 9
Total 85 questions

Splunk Core Certified Consultant Questions and Answers

Testing Engine

  • Product Type: Testing Engine
$67.5  $225

PDF Study Guide

  • Product Type: PDF Study Guide
$59.7  $199
Question 1

How does Monitoring Console (MC) initially identify the server role(s) of a new Splunk Instance?

Options:

A.

The MC uses a REST endpoint to query the server.

B.

Roles are manually assigned within the MC.

C.

Roles are read from distsearch.conf.

D.

The MC assigns all possible roles by default.

Question 2

A new search head cluster is being implemented. Which is the correct command to initialize the deployer node without restarting the search head cluster peers?

Options:

A.

$SPLUNK_HOME/bin/splunk apply shcluster-bundle

B.

$SPLUNK_HOME/bin/splunk apply cluster-bundle

C.

$SPLUNK_HOME/bin/splunk apply shcluster-bundle –action stage

D.

$SPLUNK_HOME/bin/splunk apply cluster-bundle –action stage

Question 3

A customer has three users and is planning to ingest 250GB of data per day. They are concerned with search uptime, can tolerate up to a two-hour downtime for the search tier, and want advice on single search head versus a search head cluster. (SHC).

Which recommendation is the most appropriate?

Options:

A.

The customer should deploy two active search heads behind a load balancer to support HA.

B.

The customer should deploy a SHC with a single member for HA; more members can be added later.

C.

The customer should deploy a SHC, because it will be required to support the high volume of data.

D.

The customer should deploy a single search head with a warm standby search head and an rsync process to synchronize configurations.

Question 4

A customer is having issues with truncated events greater than 64K. What configuration should be deployed to a universal forwarder (UF) to fix the issue?

Options:

A.

None. Splunk default configurations will process the events as needed; the UF is not causing truncation.

B.

Configure the best practice magic 6 or great 8 props.conf settings.

C.

EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings per sourcetype.

D.

Global EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings.

Question 5

A customer has implemented their own Role Based Access Control (RBAC) model to attempt to give the Security team different data access than the Operations team by creating two new Splunk roles – security and operations. In the srchIndexesAllowed setting of authorize.conf, they specified the network index

under the security role and the operations index under the operations role. The new roles are set up to inherit the default user role.

If a new user is created and assigned to the operations role only, which indexes will the user have access to search?

Options:

A.

operations, network, _internal, _audit

B.

operations

C.

No Indexes

D.

operations, network

Question 6

A customer has a search cluster (SHC) of six members split evenly between two data centers (DC). The customer is concerned with network connectivity between the two DCs due to frequent outages. Which of the following is true as it relates to SHC resiliency when a network outage occurs between the two DCs?

Options:

A.

The SHC will function as expected as the SHC deployer will become the new captain until the network communication is restored.

B.

The SHC will stop all scheduled search activity within the SHC.

C.

The SHC will function as expected as the minimum required number of nodes for a SHC is 3.

D.

The SHC will function as expected as the SHC captain will fall back to previous active captain in the remaining site.

Question 7

In a single indexer cluster, where should the Monitoring Console (MC) be installed?

Options:

A.

Deployer sharing with master cluster.

B.

License master that has 50 clients or more.

C.

Cluster master node

D.

Production Search Head

Question 8

A customer with a large distributed environment has blacklisted a large lookup from the search bundle to decrease the bundle size using distsearch.conf. After this change, when running searches utilizing the lookup that was blacklisted they see error messages in the Splunk Search UI stating the lookup file does not exist.

What can the customer do to resolve the issue?

Options:

A.

The search needs to be modified to ensure the lookup command specifies parameter local=true.

B.

The blacklisted lookup definition stanza needs to be modified to specify setting allow_caching=true.

C.

The search needs to be modified to ensure the lookup command specified parameter

blacklist=false.

D.

The lookup cannot be blacklisted; the change must be reverted.

Question 9

When using SAML, where does user authentication occur?

Options:

A.

Splunk generates a SAML assertion that authenticates the user.

B.

The Service Provider (SP) decodes the SAML request and authenticates the user.

C.

The Identity Provider (IDP) decodes the SAML request and authenticates the user.

D.

The Service Provider (SP) generates a SAML assertion that authenticates the user.

Question 10

What is the default push mode for a search head cluster deployer app configuration bundle?

Options:

A.

full

B.

merge_to_default

C.

default_only

D.

local_only

Question 11

Which event processing pipeline contains the regex replacement processor that would be called upon to run event masking routines on events as they are ingested?

Options:

A.

Merging pipeline

B.

Indexing pipeline

C.

Typing pipeline

D.

Parsing pipeline

Question 12

Which of the following is the most efficient search?

Options:

A.

Option A

B.

Option B

C.

Option C

D.

Option D

Page: 1 / 9
Total 85 questions