




















































































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
This exam measures skills in deploying Elastic Observability for logs, metrics, traces, APM, uptime monitoring, and distributed tracing. Candidates must understand Beats, Elastic Agent, Fleet management, service maps, anomaly detection, log enrichment, SLO/SLA modeling, and correlation analysis across telemetry sources.
Typology: Exams
1 / 92
This page cannot be seen from the preview
Don't miss anything!





















































































Question 1.Which Elastic Agent mode is used to run as a single binary that can collect logs, metrics, and security data on a host? A) Standalone mode B) Fleet mode C) Elastic Cloud mode D) Elastic Agentless mode Answer: B Explanation: Fleet mode allows the Elastic Agent to be centrally managed from Kibana, enabling collection of logs, metrics, and security data through a single binary on each host. Question 2.What is the primary purpose of an integration in the Elastic Agent UI? A) To install Kibana plugins automatically B) To configure data collection for a specific service or technology C) To create custom dashboards D) To manage user authentication Answer: B Explanation: Integrations provide pre‑built configurations for collecting logs, metrics, or traces from particular services such as Nginx, MySQL, or System. Question 3.How do you configure the Elastic Agent to tail a custom log file located at /var/log/custom/app.log? A) Add the file path to the filebeat.inputs section of filebeat.yml B) Enable the “Logs” integration and specify the path in the “Files” field C) Create a new logstash‑pipeline.conf file with a file input plugin D) Use the elastic‑agent command‑line flag --log‑path Answer: B
Explanation: The Logs integration in Elastic Agent provides a UI field where you can list custom log file paths for the agent to tail and ship. Question 4.Which processor in an ingest node pipeline would you use to extract the timestamp from a field called message using the pattern “[%{TIMESTAMP_ISO8601:ts}]”? A) dissect B) grok C) date D) convert Answer: B Explanation: The grok processor applies regular‑expression‑like patterns to parse fields; the provided pattern is a grok pattern that extracts a timestamp into the ts field. Question 5.What does the convert processor do in an ingest pipeline? A) Changes the field name B) Parses JSON strings into objects C) Transforms the field’s data type (e.g., string to integer) D) Removes a field from the document Answer: C Explanation: The convert processor changes the data type of a field, such as converting a string representation of a number into an integer or a date. Question 6.Which of the following is a valid step to enable Real User Monitoring (RUM) on an APM Server? A) Set rum.enabled: true in apm-server.yml B) Install the elastic‑rum‑agent package on the server
Question 9.How can you create a data stream for custom metrics in Elasticsearch? A) Use the PUT /data_stream/
Explanation: The geoip processor enriches the document with a .geoip object containing country, city, latitude, longitude, and other location data. Question 12.Which of the following is NOT a built‑in processor for ingest pipelines? A) append B) script C) split D) rename Answer: B Explanation: While script processors exist in Logstash pipelines, they are not part of the ingest node processor set; ingest pipelines use processors like append, split, rename, etc. Question 13.How does the fail processor behave when its condition is met? A) It drops the document silently B) It adds a field error with a custom message C) It raises an exception that stops pipeline execution for that document D) It retries the document after a delay Answer: C Explanation: The fail processor throws an exception, causing the ingest pipeline to halt processing for that document and log the failure. Question 14.What is the purpose of the set processor in an ingest pipeline? A) To replace an existing field’s value B) To add a new field with a static or scripted value C) To rename a field D) To delete a field
B) Linux metrics integration C) Host metrics integration D) Elastic Metrics integration Answer: A Explanation: The “System metrics” integration provides pre‑built metricsets for CPU, memory, disk I/O, and network statistics on Linux hosts. Question 18.How can you enable the collection of Kubernetes pod logs using Elastic Agent? A) Deploy the Elastic Agent as a DaemonSet with the “Kubernetes logs” integration enabled B) Install Filebeat on each node and point it to /var/log/pods C) Use Logstash with a Kubernetes input plugin D) Enable the “Docker logs” integration and set the container runtime to Kubernetes Answer: A Explanation: Deploying Elastic Agent as a DaemonSet and enabling the Kubernetes logs integration automatically discovers and ships pod logs. Question 19.What is the effect of configuring pipeline.workers to 1 in the ingest node settings? A) Enables parallel processing of documents B) Forces sequential processing, which can be useful for order‑dependent pipelines C) Increases the maximum ingest throughput D) Disables all ingest pipelines Answer: B Explanation: Setting pipeline.workers to 1 processes ingest documents one at a time, preserving order but reducing throughput. Question 20.In the APM app, what does the “Service latency” chart display?
A) The time taken for the APM Server to acknowledge requests B) The average duration of transactions for a selected service C) Network round‑trip time between the agent and Elasticsearch D) The time between two consecutive heartbeats Answer: B Explanation: Service latency visualizes the average transaction duration (response time) for the chosen service, helping identify performance regressions. Question 21.Which Elasticsearch API is used to retrieve the current ILM policy attached to an index? A) GET /_ilm/policy/{policy_name} B) GET /{index}/_ilm/explain C) GET /{index}/_settings?filter_path=**.lifecycle D) GET /_ilm/explain/{index} Answer: B Explanation: The GET /{index}/_ilm/explain API returns the ILM phase and policy details for the specified index. Question 22.What is the primary benefit of using a data stream instead of a regular index for observability metrics? A) Data streams automatically enforce field mappings B) Data streams support hot‑warm‑cold lifecycle without manual rollover C) Data streams allow per‑document versioning D) Data streams encrypt data at rest by default Answer: B
C) Slack action (built‑in) D) Index action Answer: C Explanation: Kibana provides a native Slack action that posts messages directly to a configured Slack channel. Question 26.Which setting in apm‑server.yml controls the maximum size of a transaction payload that the server will accept? A) max_payload_bytes B) transaction_max_bytes C) server.max_payload_size D) payload.max_bytes Answer: A Explanation: The max_payload_bytes parameter defines the upper limit for the size of incoming APM payloads, preventing oversized requests. Question 27.What is the purpose of the remove processor in an ingest pipeline? A) To delete a field from the document B) To clear the value of a field while keeping the field name C) To exclude the document from indexing D) To move a field to a new name Answer: A Explanation: The remove processor permanently deletes the specified field(s) from the document during ingestion. Question 28.In the context of Elastic Observability, what does “RUM” stand for?
A) Real‑User Metrics B) Remote‑User Monitoring C) Real‑User Monitoring D) Resource‑Utilization Management Answer: C Explanation: RUM is Real‑User Monitoring, which captures front‑end performance data from browsers and sends it to the APM Server. Question 29.How can you configure a Heartbeat monitor to perform a TCP check on port 443 of example.com every 30 seconds? A) Set type: tcp, hosts: ["example.com:443"], schedule: "@every 30s" B) Set type: http, url: "https://example.com", schedule: "30s" C) Set type: icmp, hosts: ["example.com"], interval: "30s" D) Set type: tcp, hosts: ["example.com"], port: 443, period: "30s" Answer: A Explanation: The TCP monitor requires the host and port in the hosts array and a cron‑style schedule; “@every 30s” runs the check every 30 seconds. Question 30.What does the Kibana “Logs” app primarily use to query log data? A) Elasticsearch SQL B) Lucene query syntax with the log* index pattern C) Piped Processing Language (PPL) D) KQL (Kibana Query Language) Answer: D Explanation: The Logs app utilizes KQL to filter and search log entries across the configured index patterns.
D) Elastic Agent ML module Answer: C Explanation: Kibana’s Machine Learning UI allows you to create and manage anomaly detection jobs on log, metric, or trace data. Question 34.What does the json processor do when applied to a field containing a JSON string? A) It validates the JSON syntax and drops the document if invalid B) It parses the JSON string and adds each key/value as separate fields in the document C) It converts the JSON into a base64‑encoded string D) It compresses the JSON payload for storage efficiency Answer: B Explanation: The json processor deserializes a JSON string field, promoting its contents to top‑level fields (or a target object). Question 35.How can you limit the retention of a time‑series index to 90 days using ILM? A) Set index.lifecycle.max_age: 90d in the index template B) Create an ILM policy with a delete phase after 90 days and assign it to the index C) Use the curator tool to delete indices older than 90 days D) Set the index.routing.allocation.include.age: 90d setting Answer: B Explanation: An ILM policy can specify a delete phase that triggers after a defined number of days, automatically removing indices older than that period. Question 36.Which of the following is a required field when defining a custom ingest pipeline that uses the grok processor? A) pattern_definitions
B) match_field C) patterns D) source_field Answer: D Explanation: The grok processor needs a field (or source_field) from which to read the raw text that will be parsed according to the defined patterns. Question 37.In Kibana’s Uptime app, what does a red status indicator for a monitor signify? A) The monitor is currently disabled B) The monitor has not yet run C) The monitor failed its last check (service unreachable) D) The monitor is experiencing high latency but is reachable Answer: C Explanation: A red badge in the Uptime UI indicates that the most recent heartbeat check failed, meaning the service could not be reached. Question 38.What is the default port on which the Elastic APM Server listens for incoming data? A) 8200 B) 5601 C) 5044 D) 9200 Answer: A Explanation: By default, the APM Server binds to port 8200 for HTTP ingestion of trace and metric data. Question 39.How does the append processor modify a field that already contains an array?
Question 42.Which file would you edit to add a custom Beats input for collecting logs from /opt/app/logs/*.log when using Filebeat? A) filebeat.yml B) elasticsearch.yml C) kibana.yml D) logstash.yml Answer: A Explanation: Filebeat’s configuration resides in filebeat.yml, where inputs (paths) are defined. Question 43.In the context of Elastic Observability, which component processes the “trace” data sent by the APM agents? A) Logstash B) Beats C) APM Server D) Kibana Answer: C Explanation: The APM Server receives trace payloads from agents, enriches them, and forwards them to Elasticsearch. Question 44.What does the dot_expander processor do when it encounters a field name containing multiple dots, such as a.b.c? A) It creates a three‑level nested object a → b → c B) It flattens the field into a single string “a_b_c” C) It raises an error because nested objects are not allowed D) It removes the field from the document
Answer: A Explanation: The dot_expander interprets each dot as a level in a nested object hierarchy, constructing the appropriate JSON structure. Question 45.How can you configure an alert in Kibana to automatically create a ticket in Jira when a service’s error rate exceeds a threshold? A) Use the “Webhook” action pointing to Jira’s REST API B) Use the built‑in “Jira” action (requires Jira integration) C) Use the “Email” action with a Jira‑formatted payload D) Both A and B are valid approaches Answer: D Explanation: Either a generic webhook to Jira’s API or a dedicated Jira action (if the integration is set up) can be used to create tickets from alerts. Question 46.What is the purpose of the date processor in an ingest pipeline? A) To convert a string field into a date type and optionally reformat it B) To calculate the time difference between two fields C) To add the current ingestion timestamp to the document D) To filter out documents older than a certain date Answer: A Explanation: The date processor parses a string according to a specified format and stores it as a date type, optionally overriding the original field. Question 47.In Elastic Observability, which of the following is a built‑in dashboard that shows JVM memory usage for Java services? A) System Overview Dashboard
Question 50.Which Kibana visualization type is best suited for displaying the distribution of response times as a histogram? A) Area B) Bar C) Heatmap D) Lens histogram (or “Histogram” in Lens) Answer: D Explanation: A histogram visualizes numeric value distribution across buckets, making it ideal for response‑time frequency analysis. Question 51.What is the default index pattern that the Logs app uses to query log data? A) logs‑* B) filebeat‑* C) ‑logs‑ D) data‑stream‑logs‑* Answer: B Explanation: By default, the Logs app searches the filebeat‑* index pattern, which matches indices created by Filebeat and Elastic Agent’s log integration. Question 52.Which of the following statements about Elastic Agent policy inheritance is correct? A) Child policies completely override all settings from parent policies B) Child policies inherit all settings from the parent unless explicitly overridden C) Policies cannot be nested; inheritance is not supported D) Inheritance only applies to security policies, not data collection Answer: B
Explanation: Elastic Agent policies support inheritance; a child policy starts with the parent’s configuration and you can override specific items. Question 53.In the context of APM, what is a “transaction”? A) A single HTTP request or background job that is measured end‑to‑end B) A database query executed by the application C) The process of sending data from the agent to Elasticsearch D) A Kibana alert triggered by performance thresholds Answer: A Explanation: A transaction represents a logical operation such as an HTTP request or a background task, capturing its duration and associated spans. Question 54.What is the purpose of the fail processor’s message parameter? A) To log the failure reason to a separate index B) To provide a custom error message that appears in the ingest pipeline logs C) To send an email notification when the processor fails D) To retry the document after the specified delay Answer: B Explanation: The message parameter defines a custom error description that is included in the exception thrown by the fail processor. Question 55.How can you reduce the size of stored log documents that contain large JSON payloads? A) Use the json processor with target: null to flatten and discard the original field B) Enable source.enabled: false in the index mapping C) Apply a remove processor to delete the large field before indexing