Download Splunk Enterprise Splunk Cloud Certified Admin Practice Exam and more Exams Technology in PDF only on Docsity!
Admin Practice Exam
Question 1. Which Splunk component is responsible for receiving raw data from forwarders and writing it to disk? A) Search Head B) Deployment Server C) Indexer D) License Master Answer: C Explanation: The Indexer receives data from forwarders, parses it, and stores it in indexes on disk. Question 2. In a Splunk deployment, which component manages the distribution of apps and configurations to universal forwarders? A) Search Head B) Deployment Server C) Indexer Cluster Master D) License Master Answer: B Explanation: The Deployment Server acts as a central point for pushing apps and configuration bundles to forwarders configured as deployment clients. Question 3. What is the primary difference between a Universal Forwarder (UF) and a Heavy Forwarder (HF)? A) UF can parse data, HF cannot B) UF is lightweight and forwards raw data, HF can index and parse data before forwarding C) UF runs on Windows only, HF runs on Linux only D) UF requires a license, HF does not Answer: B
Admin Practice Exam
Explanation: Universal Forwarders are lightweight agents that forward raw data, while Heavy Forwarders have full Splunk capabilities, allowing parsing, indexing, and routing. Question 4. Which file is used to configure the destination indexer(s) for a universal forwarder? A) inputs.conf B) props.conf C) outputs.conf D) transforms.conf Answer: C Explanation: outputs.conf defines the target indexer(s) and protocol settings for forwarder data transmission. Question 5. When configuring a monitor input in inputs.conf, which stanza keyword specifies the directory to be watched? A) monitor B) file C) directory D) path Answer: A Explanation: The “monitor” stanza defines the file or directory path that Splunk should continuously monitor. Question 6. In Splunk, which configuration file determines the default sourcetype for a monitored file if none is specified? A) props.conf B) inputs.conf C) transforms.conf
Admin Practice Exam
C. Changes the host field value D. Sets the event’s timestamp Answer: B Explanation: DEST_KEY=_raw tells Splunk to replace the raw event data with the value produced by the transformation, effectively masking or modifying the original raw data. Question 10. Which bucket type holds the most recent events that are actively being written to? A) Warm B) Cold C) Hot D) Frozen Answer: C Explanation: The Hot bucket contains the newest data and is where the indexer writes incoming events until the bucket reaches its size or time limit. Question 11. What happens when a Splunk index reaches its “frozenTimePeriodInSecs” setting? A) The bucket is deleted permanently B) The bucket is moved to the frozen directory for archival or deletion according to the retention policy C) The bucket is compressed but remains searchable D) The indexer stops accepting new data Answer: B Explanation: Once an index’s data age exceeds frozenTimePeriodInSecs, the bucket is moved to the frozen location, where it can be archived or deleted based on the organization’s policy. Question 12. Which command can be used to view the effective value of a configuration setting after layering is applied?
Admin Practice Exam
A) splunk list config B) splunk btool list --debug C) splunk show config D) splunk config inspect Answer: B Explanation: “splunk btool list --debug” displays the final value of a setting after considering system, app, and user layers. Question 13. In Splunk Cloud, who is responsible for applying index retention policies such as maxDataSize? A) Splunk Cloud support team B) The customer via the Cloud Management Console C) The License Master only D) No retention policies are allowed in Cloud Answer: B Explanation: Customers manage retention settings for their indexes in Splunk Cloud through the provided management UI, while Splunk manages the underlying infrastructure. Question 14. Which capability allows a role to edit knowledge objects such as saved searches and dashboards? A) schedule_search B) edit_searches C) change_password D) list_inputs Answer: B Explanation: The “edit_searches” capability grants permission to create, modify, and delete saved searches and dashboards.
Admin Practice Exam
Answer: C Explanation: In a standalone (single‑instance) deployment, the same Splunk Enterprise process performs both search head and indexing functions. Question 18. In a distributed search environment, what is the term for the process of a search head sending a subsearch to an indexer? A) Forwarding B) Peer delegation C) Search peer query D) Job dispatch Answer: D Explanation: The search head creates a job and dispatches subsearches to its search peers (indexers) for execution. Question 19. Which of the following is a valid reason for a license violation in Splunk Enterprise? A) Deploying a universal forwarder without a license B) Exceeding the daily indexed data volume defined by the license C) Running a search that returns more than 10,000 events D) Using the HTTP Event Collector (HEC) without enabling TLS Answer: B Explanation: License violations occur when the amount of data indexed in a day surpasses the volume allowed by the purchased license. Question 20. When configuring a TCP input in Splunk, which stanza in inputs.conf is used? A) [udp] B) [tcp]
Admin Practice Exam
C) [tcp://:9997] D) [listen] Answer: C Explanation: The stanza “[tcp://:port]” defines a TCP listener on the specified port for incoming data. Question 21. Which setting in inputs.conf controls the maximum size of the persistent queue for a forwarder? A) queueSize B) maxQueueSize C) persistentQueueSize D) queueSizeKB Answer: C Explanation: persistentQueueSize sets the maximum size (in MB) of the on‑disk queue used to buffer data when the forwarder cannot reach its destination. Question 22. What does the “index = false” setting in props.conf accomplish? A) Prevents the event from being indexed at all B) Sends the event to a null queue after parsing C) Marks the event as a summary index entry D) Disables timestamp extraction for the event Answer: A Explanation: Setting “index = false” tells Splunk to discard the event after parsing, effectively preventing it from being stored. Question 23. Which role by default has the capability to manage licenses?
Admin Practice Exam
Question 26. What is the effect of setting “max_hot_buckets = 3” in indexes.conf? A) Limits the total number of hot buckets across all indexes to three B) Allows each index to have at most three hot buckets simultaneously C) Forces the index to roll hot buckets after three events D) Disables hot buckets entirely Answer: B Explanation: max_hot_buckets controls the maximum number of hot buckets that a single index can maintain at one time. Question 27. Which of the following is a valid method for ingesting data into Splunk Cloud? A) Installing a universal forwarder directly on the Cloud instance B) Using the HTTP Event Collector (HEC) with a token provided by the Cloud admin C) Deploying a heavy forwarder inside the customer’s firewall and pointing it to the Cloud’s indexer port 8089 D) Copying raw log files into a shared S3 bucket that Splunk Cloud automatically reads Answer: B Explanation: HEC is the recommended way to send data to Splunk Cloud; a token authenticates the source. Question 28. In Splunk, which capability is required for a role to view the Monitoring Console? A) list_monitoring_console B) schedule_search C) rest_apps_view D) list_sessions Answer: A
Admin Practice Exam
Explanation: The “list_monitoring_console” capability grants permission to view the Monitoring Console dashboards. Question 29. Which file would you edit to change the default host field for data coming from a specific monitor input? A) transforms.conf B) props.conf C) inputs.conf D) server.conf Answer: C Explanation: inputs.conf allows you to set the “host” attribute for a monitor stanza, overriding the default detection. Question 30. What does the “SEDCMD” setting in props.conf enable? A) Automatic timestamp extraction using sed syntax B) Modification of raw event data using sed regular expressions before indexing C) Routing events to different indexes based on sed matches D) Encryption of event data using sed algorithms Answer: B Explanation: SEDCMD applies a sed substitution command to the raw event data during parsing. Question 31. Which Splunk command can be used to list all installed apps and their versions? A) splunk list apps B) splunk display appinfo C) splunk show appsummary D) splunk list app – verbose
Admin Practice Exam
C) $SPLUNK_HOME/bin/scripts D) $SPLUNK_HOME/etc/apps/search/local/scripts Answer: A Explanation: Placing the script in an app’s “bin” directory allows Splunk to locate and execute it via the scripted input stanza. Question 35. Which of the following is a valid way to enforce multi‑factor authentication (MFA) for Splunk Web users? A) Enable the “require_mfa” setting in web.conf B) Configure an external SAML identity provider that enforces MFA C) Install the Splunk MFA app from Splunkbase D) Set “mfa = true” in authorize.conf Answer: B Explanation: Splunk can delegate authentication to SAML IdPs, many of which support MFA; this is the recommended approach. Question 36. What does the “maxConcurrentSearches” setting in limits.conf control? A) Maximum number of parallel searches a user can run B) Maximum number of concurrent indexer peers per search head C) Maximum number of search jobs the system can schedule overall D) Maximum number of saved searches that can be scheduled Answer: C Explanation: maxConcurrentSearches limits the total number of active search jobs across the deployment. Question 37. In a Splunk indexer cluster, which node is responsible for managing bucket replication and cluster configuration?
Admin Practice Exam
A) Search Head B) Deployment Server C) Cluster Master (or Master Node) D) License Master Answer: C Explanation: The Cluster Master coordinates replication, bucket movement, and overall cluster health. Question 38. Which of the following statements about Splunk’s “summary indexing” is true? A) It stores raw events in a compressed format for long‑term retention B) It creates accelerated data structures for faster reporting on large time ranges C) It replaces the need for a hot bucket in the index lifecycle D) It is only available in Splunk Cloud Answer: B Explanation: Summary indexing pre‑aggregates data (e.g., stats) into accelerated data models, enabling rapid reporting on large periods. Question 39. What is the default port used by the Splunk Deployment Server to serve apps to forwarders? A) 8089 B) 8080 C) 8000 D) 9997 Answer: A Explanation: The Deployment Server uses Splunk’s management port 8089 for communication with deployment clients.
Admin Practice Exam
Explanation: The “sourcetype” key in the HEC payload tells Splunk how to classify the incoming event. Question 43. Which of the following actions will cause Splunk to re‑process a file that has already been indexed? A) Changing the file’s modification timestamp only B) Deleting the fishbucket entry for that file C) Adding a new monitor input for the same file path D) Restarting the Splunk service Answer: B Explanation: Removing the fishbucket record makes Splunk think the file is new, prompting re‑indexing. Question 44. Which Splunk UI element allows an admin to view license usage broken down by index and time period? A) License Usage Report in Settings > Licensing B) Indexes dashboard in Monitoring Console C) Data Summary > Indexes D) Search > _internal index | stats sum(b) by index Answer: A Explanation: The License Usage Report provides detailed consumption per index and daily totals. Question 45. In a search head clustering environment, what is a “knowledge bundle”? A) A set of indexes replicated across the cluster B) A collection of saved searches, dashboards, and alerts that are shared among cluster members
Admin Practice Exam
C) The configuration files for forwarder deployment D) The license data distributed to each search head Answer: B Explanation: Knowledge bundles contain searchable objects (saved searches, macros, dashboards) that are synchronized across all search heads in the cluster. Question 46. Which command line option disables the automatic start of the Splunk web interface? A) splunk start --no-web B) splunk enable webui false C) splunk start --accept-license --no-prompt --no-webui D) splunk stop web Answer: A Explanation: “splunk start --no-web” launches Splunk without starting the web server. Question 47. Which of the following is NOT a valid bucket type in Splunk? A) Hot B) Warm C) Cool D) Frozen Answer: C Explanation: “Cool” is not a recognized bucket type; the correct types are Hot, Warm, Cold, and Frozen. Question 48. What does the “index = true” setting in transforms.conf indicate? A) The transformed event should be indexed into the target index defined by “DEST_INDEX”
Admin Practice Exam
Question 51. Which file would you edit to change the default port on which Splunk’s management interface (splunkd) listens? A) web.conf B) server.conf C) inputs.conf D) limits.conf Answer: B Explanation: server.conf contains the “mgmtHostPort” setting that defines the management port. Question 52. When configuring a heavy forwarder to act as a data router, which setting in outputs.conf determines the target indexer group? A) targetGroup B) serverGroup C) forwardingGroup D) indexerGroup Answer: B Explanation: The “serverGroup” stanza lists one or more indexer destinations for the forwarder to send data. Question 53. Which of the following is a valid reason to use a “nullQueue” destination in transforms.conf? A) To archive events for compliance B) To temporarily buffer events before indexing C) To discard events that match a sensitive pattern D) To route events to a remote Splunk instance Answer: C
Admin Practice Exam
Explanation: nullQueue drops matching events, useful for filtering out noisy or sensitive data. Question 54. In Splunk Cloud, which of the following is true about the “license master” role? A) Customers must deploy their own license master VM B) Splunk Cloud automatically manages licensing; customers do not interact with a license master C) The license master is located on the customer’s on‑premises indexer cluster D) License master functionality is disabled in Cloud deployments Answer: B Explanation: Splunk Cloud handles licensing as a managed service; customers view usage but do not manage a license master. Question 55. Which setting in props.conf controls the character encoding used when reading a file input? A) CHARSET B) ENCODING C) SOURCE_CHARSET D) INPUT_ENCODING Answer: A Explanation: The “CHARSET” attribute tells Splunk how to interpret the byte stream of the input file. Question 56. What is the primary purpose of the “indexes.conf” setting “frozenTimePeriodInSecs”? A) Determines how long a bucket stays in the hot state B) Defines the maximum age before a bucket is moved to frozen storage C) Controls the size limit for each bucket
