Elastic Stack Elastic Certified Observability Engineer Practice Exam, Exams of Technology

This exam measures skills in deploying Elastic Observability for logs, metrics, traces, APM, uptime monitoring, and distributed tracing. Candidates must understand Beats, Elastic Agent, Fleet management, service maps, anomaly detection, log enrichment, SLO/SLA modeling, and correlation analysis across telemetry sources.

Typology: Exams

2025/2026

Available from 01/06/2026

shilpi-jain-1
shilpi-jain-1 🇮🇳

4.2

(5)

29K documents

1 / 92

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
Elastic Stack Elastic Certified Observability
Engineer Practice Exam
Question 1.Which Elastic Agent mode is used to run as a single binary that can collect logs,
metrics, and security data on a host?
A) Standalone mode
B) Fleet mode
C) Elastic Cloud mode
D) Elastic Agentless mode
Answer: B
Explanation: Fleet mode allows the Elastic Agent to be centrally managed from Kibana, enabling
collection of logs, metrics, and security data through a single binary on each host.
Question 2.What is the primary purpose of an integration in the Elastic Agent UI?
A) To install Kibana plugins automatically
B) To configure data collection for a specific service or technology
C) To create custom dashboards
D) To manage user authentication
Answer: B
Explanation: Integrations provide prebuilt configurations for collecting logs, metrics, or traces
from particular services such as Nginx, MySQL, or System.
Question 3.How do you configure the Elastic Agent to tail a custom log file located
at /var/log/custom/app.log?
A) Add the file path to the filebeat.inputs section of filebeat.yml
B) Enable the “Logs” integration and specify the path in the “Files” field
C) Create a new logstashpipeline.conf file with a file input plugin
D) Use the elasticagent commandline flag --logpath 
Answer: B
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c

Partial preview of the text

Download Elastic Stack Elastic Certified Observability Engineer Practice Exam and more Exams Technology in PDF only on Docsity!

Engineer Practice Exam

Question 1.Which Elastic Agent mode is used to run as a single binary that can collect logs, metrics, and security data on a host? A) Standalone mode B) Fleet mode C) Elastic Cloud mode D) Elastic Agentless mode Answer: B Explanation: Fleet mode allows the Elastic Agent to be centrally managed from Kibana, enabling collection of logs, metrics, and security data through a single binary on each host. Question 2.What is the primary purpose of an integration in the Elastic Agent UI? A) To install Kibana plugins automatically B) To configure data collection for a specific service or technology C) To create custom dashboards D) To manage user authentication Answer: B Explanation: Integrations provide pre‑built configurations for collecting logs, metrics, or traces from particular services such as Nginx, MySQL, or System. Question 3.How do you configure the Elastic Agent to tail a custom log file located at /var/log/custom/app.log? A) Add the file path to the filebeat.inputs section of filebeat.yml B) Enable the “Logs” integration and specify the path in the “Files” field C) Create a new logstash‑pipeline.conf file with a file input plugin D) Use the elastic‑agent command‑line flag --log‑path Answer: B

Engineer Practice Exam

Explanation: The Logs integration in Elastic Agent provides a UI field where you can list custom log file paths for the agent to tail and ship. Question 4.Which processor in an ingest node pipeline would you use to extract the timestamp from a field called message using the pattern “[%{TIMESTAMP_ISO8601:ts}]”? A) dissect B) grok C) date D) convert Answer: B Explanation: The grok processor applies regular‑expression‑like patterns to parse fields; the provided pattern is a grok pattern that extracts a timestamp into the ts field. Question 5.What does the convert processor do in an ingest pipeline? A) Changes the field name B) Parses JSON strings into objects C) Transforms the field’s data type (e.g., string to integer) D) Removes a field from the document Answer: C Explanation: The convert processor changes the data type of a field, such as converting a string representation of a number into an integer or a date. Question 6.Which of the following is a valid step to enable Real User Monitoring (RUM) on an APM Server? A) Set rum.enabled: true in apm-server.yml B) Install the elastic‑rum‑agent package on the server

Engineer Practice Exam

Question 9.How can you create a data stream for custom metrics in Elasticsearch? A) Use the PUT /data_stream/ API call B) Create a regular index with a data_stream:true setting C) Define a metricbeat.yml pipeline and enable data_stream:true D) Use Kibana’s “Create data stream” wizard under Management → Index Management Answer: A Explanation: The PUT /data_stream/ API creates a data stream that automatically manages underlying backing indices. Question 10.Which Kibana app provides a view of distributed trace waterfalls for APM services? A) Logs B) Metrics C) Uptime D) APM Answer: D Explanation: The APM app includes a Traces view that shows waterfall diagrams of spans for each transaction, enabling performance analysis. Question 11.What field does the geoip processor add to a document after processing an IP address field named client_ip? A) client_ip.geo B) client_ip.location C) client_ip.geo.coordinates D) client_ip.geoip (containing country, city, location, etc.) Answer: D

Engineer Practice Exam

Explanation: The geoip processor enriches the document with a .geoip object containing country, city, latitude, longitude, and other location data. Question 12.Which of the following is NOT a built‑in processor for ingest pipelines? A) append B) script C) split D) rename Answer: B Explanation: While script processors exist in Logstash pipelines, they are not part of the ingest node processor set; ingest pipelines use processors like append, split, rename, etc. Question 13.How does the fail processor behave when its condition is met? A) It drops the document silently B) It adds a field error with a custom message C) It raises an exception that stops pipeline execution for that document D) It retries the document after a delay Answer: C Explanation: The fail processor throws an exception, causing the ingest pipeline to halt processing for that document and log the failure. Question 14.What is the purpose of the set processor in an ingest pipeline? A) To replace an existing field’s value B) To add a new field with a static or scripted value C) To rename a field D) To delete a field

Engineer Practice Exam

B) Linux metrics integration C) Host metrics integration D) Elastic Metrics integration Answer: A Explanation: The “System metrics” integration provides pre‑built metricsets for CPU, memory, disk I/O, and network statistics on Linux hosts. Question 18.How can you enable the collection of Kubernetes pod logs using Elastic Agent? A) Deploy the Elastic Agent as a DaemonSet with the “Kubernetes logs” integration enabled B) Install Filebeat on each node and point it to /var/log/pods C) Use Logstash with a Kubernetes input plugin D) Enable the “Docker logs” integration and set the container runtime to Kubernetes Answer: A Explanation: Deploying Elastic Agent as a DaemonSet and enabling the Kubernetes logs integration automatically discovers and ships pod logs. Question 19.What is the effect of configuring pipeline.workers to 1 in the ingest node settings? A) Enables parallel processing of documents B) Forces sequential processing, which can be useful for order‑dependent pipelines C) Increases the maximum ingest throughput D) Disables all ingest pipelines Answer: B Explanation: Setting pipeline.workers to 1 processes ingest documents one at a time, preserving order but reducing throughput. Question 20.In the APM app, what does the “Service latency” chart display?

Engineer Practice Exam

A) The time taken for the APM Server to acknowledge requests B) The average duration of transactions for a selected service C) Network round‑trip time between the agent and Elasticsearch D) The time between two consecutive heartbeats Answer: B Explanation: Service latency visualizes the average transaction duration (response time) for the chosen service, helping identify performance regressions. Question 21.Which Elasticsearch API is used to retrieve the current ILM policy attached to an index? A) GET /_ilm/policy/{policy_name} B) GET /{index}/_ilm/explain C) GET /{index}/_settings?filter_path=**.lifecycle D) GET /_ilm/explain/{index} Answer: B Explanation: The GET /{index}/_ilm/explain API returns the ILM phase and policy details for the specified index. Question 22.What is the primary benefit of using a data stream instead of a regular index for observability metrics? A) Data streams automatically enforce field mappings B) Data streams support hot‑warm‑cold lifecycle without manual rollover C) Data streams allow per‑document versioning D) Data streams encrypt data at rest by default Answer: B

Engineer Practice Exam

C) Slack action (built‑in) D) Index action Answer: C Explanation: Kibana provides a native Slack action that posts messages directly to a configured Slack channel. Question 26.Which setting in apm‑server.yml controls the maximum size of a transaction payload that the server will accept? A) max_payload_bytes B) transaction_max_bytes C) server.max_payload_size D) payload.max_bytes Answer: A Explanation: The max_payload_bytes parameter defines the upper limit for the size of incoming APM payloads, preventing oversized requests. Question 27.What is the purpose of the remove processor in an ingest pipeline? A) To delete a field from the document B) To clear the value of a field while keeping the field name C) To exclude the document from indexing D) To move a field to a new name Answer: A Explanation: The remove processor permanently deletes the specified field(s) from the document during ingestion. Question 28.In the context of Elastic Observability, what does “RUM” stand for?

Engineer Practice Exam

A) Real‑User Metrics B) Remote‑User Monitoring C) Real‑User Monitoring D) Resource‑Utilization Management Answer: C Explanation: RUM is Real‑User Monitoring, which captures front‑end performance data from browsers and sends it to the APM Server. Question 29.How can you configure a Heartbeat monitor to perform a TCP check on port 443 of example.com every 30 seconds? A) Set type: tcp, hosts: ["example.com:443"], schedule: "@every 30s" B) Set type: http, url: "https://example.com", schedule: "30s" C) Set type: icmp, hosts: ["example.com"], interval: "30s" D) Set type: tcp, hosts: ["example.com"], port: 443, period: "30s" Answer: A Explanation: The TCP monitor requires the host and port in the hosts array and a cron‑style schedule; “@every 30s” runs the check every 30 seconds. Question 30.What does the Kibana “Logs” app primarily use to query log data? A) Elasticsearch SQL B) Lucene query syntax with the log* index pattern C) Piped Processing Language (PPL) D) KQL (Kibana Query Language) Answer: D Explanation: The Logs app utilizes KQL to filter and search log entries across the configured index patterns.

Engineer Practice Exam

D) Elastic Agent ML module Answer: C Explanation: Kibana’s Machine Learning UI allows you to create and manage anomaly detection jobs on log, metric, or trace data. Question 34.What does the json processor do when applied to a field containing a JSON string? A) It validates the JSON syntax and drops the document if invalid B) It parses the JSON string and adds each key/value as separate fields in the document C) It converts the JSON into a base64‑encoded string D) It compresses the JSON payload for storage efficiency Answer: B Explanation: The json processor deserializes a JSON string field, promoting its contents to top‑level fields (or a target object). Question 35.How can you limit the retention of a time‑series index to 90 days using ILM? A) Set index.lifecycle.max_age: 90d in the index template B) Create an ILM policy with a delete phase after 90 days and assign it to the index C) Use the curator tool to delete indices older than 90 days D) Set the index.routing.allocation.include.age: 90d setting Answer: B Explanation: An ILM policy can specify a delete phase that triggers after a defined number of days, automatically removing indices older than that period. Question 36.Which of the following is a required field when defining a custom ingest pipeline that uses the grok processor? A) pattern_definitions

Engineer Practice Exam

B) match_field C) patterns D) source_field Answer: D Explanation: The grok processor needs a field (or source_field) from which to read the raw text that will be parsed according to the defined patterns. Question 37.In Kibana’s Uptime app, what does a red status indicator for a monitor signify? A) The monitor is currently disabled B) The monitor has not yet run C) The monitor failed its last check (service unreachable) D) The monitor is experiencing high latency but is reachable Answer: C Explanation: A red badge in the Uptime UI indicates that the most recent heartbeat check failed, meaning the service could not be reached. Question 38.What is the default port on which the Elastic APM Server listens for incoming data? A) 8200 B) 5601 C) 5044 D) 9200 Answer: A Explanation: By default, the APM Server binds to port 8200 for HTTP ingestion of trace and metric data. Question 39.How does the append processor modify a field that already contains an array?

Engineer Practice Exam

Question 42.Which file would you edit to add a custom Beats input for collecting logs from /opt/app/logs/*.log when using Filebeat? A) filebeat.yml B) elasticsearch.yml C) kibana.yml D) logstash.yml Answer: A Explanation: Filebeat’s configuration resides in filebeat.yml, where inputs (paths) are defined. Question 43.In the context of Elastic Observability, which component processes the “trace” data sent by the APM agents? A) Logstash B) Beats C) APM Server D) Kibana Answer: C Explanation: The APM Server receives trace payloads from agents, enriches them, and forwards them to Elasticsearch. Question 44.What does the dot_expander processor do when it encounters a field name containing multiple dots, such as a.b.c? A) It creates a three‑level nested object a → b → c B) It flattens the field into a single string “a_b_c” C) It raises an error because nested objects are not allowed D) It removes the field from the document

Engineer Practice Exam

Answer: A Explanation: The dot_expander interprets each dot as a level in a nested object hierarchy, constructing the appropriate JSON structure. Question 45.How can you configure an alert in Kibana to automatically create a ticket in Jira when a service’s error rate exceeds a threshold? A) Use the “Webhook” action pointing to Jira’s REST API B) Use the built‑in “Jira” action (requires Jira integration) C) Use the “Email” action with a Jira‑formatted payload D) Both A and B are valid approaches Answer: D Explanation: Either a generic webhook to Jira’s API or a dedicated Jira action (if the integration is set up) can be used to create tickets from alerts. Question 46.What is the purpose of the date processor in an ingest pipeline? A) To convert a string field into a date type and optionally reformat it B) To calculate the time difference between two fields C) To add the current ingestion timestamp to the document D) To filter out documents older than a certain date Answer: A Explanation: The date processor parses a string according to a specified format and stores it as a date type, optionally overriding the original field. Question 47.In Elastic Observability, which of the following is a built‑in dashboard that shows JVM memory usage for Java services? A) System Overview Dashboard

Engineer Practice Exam

Question 50.Which Kibana visualization type is best suited for displaying the distribution of response times as a histogram? A) Area B) Bar C) Heatmap D) Lens histogram (or “Histogram” in Lens) Answer: D Explanation: A histogram visualizes numeric value distribution across buckets, making it ideal for response‑time frequency analysis. Question 51.What is the default index pattern that the Logs app uses to query log data? A) logs‑* B) filebeat‑* C) ‑logs‑ D) data‑stream‑logs‑* Answer: B Explanation: By default, the Logs app searches the filebeat‑* index pattern, which matches indices created by Filebeat and Elastic Agent’s log integration. Question 52.Which of the following statements about Elastic Agent policy inheritance is correct? A) Child policies completely override all settings from parent policies B) Child policies inherit all settings from the parent unless explicitly overridden C) Policies cannot be nested; inheritance is not supported D) Inheritance only applies to security policies, not data collection Answer: B

Engineer Practice Exam

Explanation: Elastic Agent policies support inheritance; a child policy starts with the parent’s configuration and you can override specific items. Question 53.In the context of APM, what is a “transaction”? A) A single HTTP request or background job that is measured end‑to‑end B) A database query executed by the application C) The process of sending data from the agent to Elasticsearch D) A Kibana alert triggered by performance thresholds Answer: A Explanation: A transaction represents a logical operation such as an HTTP request or a background task, capturing its duration and associated spans. Question 54.What is the purpose of the fail processor’s message parameter? A) To log the failure reason to a separate index B) To provide a custom error message that appears in the ingest pipeline logs C) To send an email notification when the processor fails D) To retry the document after the specified delay Answer: B Explanation: The message parameter defines a custom error description that is included in the exception thrown by the fail processor. Question 55.How can you reduce the size of stored log documents that contain large JSON payloads? A) Use the json processor with target: null to flatten and discard the original field B) Enable source.enabled: false in the index mapping C) Apply a remove processor to delete the large field before indexing