Free SPLK-3003 Sample Questions — Splunk Core Certified Consultant

A customer's deployment server is overwhelmed with forwarder connections after adding an additional 1000 clients. The default phone home interval is set to 60 seconds. To reduce the number of connection failures to the DS what is recommended?

• A. Create a tiered deployment server topology
• B. Reduce the phone home interval to 6 seconds
• C. Leave the phone home interval at 60 seconds
• D. Increase the phone home interval to 600 seconds

A customer has asked for a five-node search head cluster (SHC), but does not have the storage budget to use a replication factor greater than 2. They would like to understand what might happen in terms of the users' ability to view historic scheduled search results if they log onto a search head which doesn't contain one of the 2 copies of a given search artifact. Which of the following statements best describes what would happen in this scenario?

• A. The search head that the user has logged onto will proxy the required artifact over to itself from a search head that currently holds a copy. A copy will also be replicated from that search head permanently, so it is available for future use
• B. Because the dispatch folder containing the search results is not present on the search head, the user will not be able to view the search results
• C. The user will not be able to see the results of the search until one of the search heads is restarted, forcing synchronization of all dispatched artifacts across all search heads
• D. The user will not be able to see the results of the search until the Splunk administrator issues the apply shcluster-bundle command on the search head deployer, forcing synchronization of all dispatched artifacts across all search heads

A Splunk Index cluster is being installed and the indexers need to be configured with a license master. After the customer provides the name of the license master, what is the next step?

• A. Enter the license master configuration via Splunk web on each indexer before disabling Splunk web
• B. Update /opt/splunk/etc/master-apps/_cluster/default/server.conf on the cluster master and apply a cluster bundle
• C. Update the Splunk PS base config license app and copy to each indexer
• D. Update the Splunk PS base config license app and deploy via the cluster master

A customer has a new set of hardware to replace their aging indexers. What method would reduce the amount of bucket replication operations during the migration process?

• A. Disable the indexing ports on the old indexers
• B. Disable replication ports on the old indexers
• C. Put the old indexers into manual detention
• D. Put the old indexers into automatic detention

In addition to the normal responsibilities of a search head cluster captain, which of the following is a default behavior?

• A. The captain is not a cluster member and does not perform normal search activities
• B. The captain is a cluster member who performs normal search activities
• C. The captain is not a cluster member but does perform normal search activities
• D. The captain is a cluster member but does not perform normal search activities

When a bucket rolls from cold to frozen on a clustered indexer, which of the following scenarios occurs?

• A. All replicated copies will be rolled to frozen; original copies will remain
• B. Replicated copies of the bucket will remain on all other indexers and the Cluster Master (CM) assigns a new primary bucket
• C. The bucket rolls to frozen on all clustered indexers simultaneously
• D. Nothing. Replicated copies of the bucket will remain on all other indexers until a local retention rule causes it to roll

When utilizing a subsearch within a Splunk SPL search query, which of the following statements is accurate?

• A. Subsearches have to be initiated with the | subsearch command
• B. Subsearches can only be utilized with | inputlookup command
• C. Subsearches have a default result output limit of 10000
• D. There are no specific limitations when using subsearches

A customer is having issues with truncated events greater than 64K. What configuration should be deployed to a universal forwarder (UF) to fix the issue?

• A. None. Splunk default configurations will process the events as needed; the UF is not causing truncation
• B. Configure the best practice magic 6 or great 8 props.conf settings
• C. EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings per sourcetype
• D. Global EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings

A customer has the following Splunk instances within their environment: An indexer cluster consisting of a cluster master/master node and five clustered indexers, two search heads (no search head clustering), a deployment server, and a license master. The deployment server and license master are running on their own single-purpose instances. The customer would like to start using the Monitoring Console (MC) to monitor the whole environment. On the MC instance, which instances will need to be configured as distributed search peers by specifying them via the UI using the settings menu?

• A. Just the cluster master/master node
• B. Indexers, search heads, deployment server, license master, cluster master/master node
• C. Search heads, deployment server, license master, cluster master/master node
• D. Deployment server, license master

When adding a new search head to a search head cluster (SHC), which of the following scenarios occurs?

• A. The new search head connects to the captain and replays any recent configuration changes to bring it up to date
• B. The new search head connects to the deployer and replays any recent configuration changes to bring it up to date
• C. The new search head connects to the captain and pulls the most recently deployed bundle. It then connects to the deployer and replays any recent configuration changes to bring it up to date
• D. The new search head connects to the deployer and pulls the most recently deployed bundle. It then connects to the captain and replays any recent configuration changes to bring it up to date

A customer has implemented their own Role Based Access Control (RBAC) model to attempt to give the Security team different data access than the Operations team by creating two new Splunk roles "" security and operations. In the srchIndexesAllowed setting of authorize.conf, they specified the network index under the security role and the operations index under the operations role. The new roles are set up to inherit the default user role. If a new user is created and assigned to the operations role only, which indexes will the user have access to search?

• A. operations, network, _internal, _audit
• B. operations
• C. No Indexes
• D. operations, network

Which statement is correct?

• A. In general, search commands that can be distributed to the search peers should occur as early as possible in a well-tuned search
• B. As a streaming command, streamstats performs better than stats since stats is just a reporting command
• C. When trying to reduce a search result to unique elements, the dedup command is the only way to achieve this
• D. Formatting commands such as fieldformat should occur as early as possible in the search to take full advantage of the often larger number of search peers

Monitoring Console (MC) health check configuration items are stored in which configuration file?

• A. healthcheck.conf
• B. alert_actions.conf
• C. distsearch.conf
• D. checklist.conf

The universal forwarder (UF) should be used whenever possible, as it is smaller and more efficient. In which of the following scenarios would a heavy forwarder (HF) be a more appropriate choice?

• A. When a predictable version of Python is required
• B. When filtering 10%""15% of incoming events
• C. When monitoring a log file
• D. When running a script

A new search head cluster is being implemented. Which is the correct command to initialize the deployer node without restarting the search head cluster peers?

• A. $SPLUNK_HOME/bin/splunk apply shcluster-bundle
• B. $SPLUNK_HOME/bin/splunk apply cluster-bundle
• C. $SPLUNK_HOME/bin/splunk apply shcluster-bundle ""action stage
• D. $SPLUNK_HOME/bin/splunk apply cluster-bundle ""action stage

What is the primary driver behind implementing indexer clustering in a customer's environment?

• A. To improve resiliency as the search load increases
• B. To reduce indexing latency
• C. To scale out a Splunk environment to offer higher performance capability
• D. To provide higher availability for buckets of data

Which statement is true about subsearches?

• A. Subsearches are faster than other types of searches
• B. Subsearches work best for joining two large result sets
• C. Subsearches run at the same time as their outer search
• D. Subsearches work best for small result sets

A customer has a number of inefficient regex replacement transforms being applied. When under heavy load the indexers are struggling to maintain the expected indexing rate. In a worst case scenario, which queue(s) would be expected to fill up?

• A. Typing, merging, parsing, input
• B. Parsing
• C. Typing
• D. Indexing, typing, merging, parsing, input

Which command is most efficient in finding the pass4SymmKey of an index cluster?

• A. find / -name server.conf ""print | grep pass4SymKey
• B. $SPLUNK_HOME/bin/splunk search | rest splunk_server=local /servicesNS/-/unhash_app/storage/passwords
• C. $SPLUNK_HOME/bin/splunk btool server list clustering | grep pass4SymmKey
• D. $SPLUNK_HOME/bin/splunk btool clustering list clustering --debug | grep pass4SymmKey

A customer has three users and is planning to ingest 250GB of data per day. They are concerned with search uptime, can tolerate up to a two-hour downtime for the search tier, and want advice on single search head versus a search head cluster. (SHC). Which recommendation is the most appropriate?

• A. The customer should deploy two active search heads behind a load balancer to support HA
• B. The customer should deploy a SHC with a single member for HA; more members can be added later
• C. The customer should deploy a SHC, because it will be required to support the high volume of data
• D. The customer should deploy a single search head with a warm standby search head and an rsync process to synchronize configurations