An index stores its data in buckets. Which default directories does Splunk use to store buckets? (Choose all that apply.)
A Splunk administrator has been tasked with developing a retention strategy to have frequently accessed data sets on SSD storage and to have older, less frequently accessed data on slower NAS storage. They have set a mount point for the NAS. Which parameter do they need to modify to set the path for the older, less frequently accessed data in indexes.conf?
On the deployment server, administrators can map clients to server classes using client filters. Which of the
following statements is accurate?
User role inheritance allows what to be inherited from the parent role? (select all that apply)
After automatic load balancing is enabled on a forwarder, the time interval for switching indexers can be updated by using which of the following attributes?
Consider the following stanza ininputs.conf:
What will the value of the source filed be for events generated by this scripts input?
Which of the following are methods for adding inputs in Splunk? (select all that apply)
Search heads in a company ' s European offices need to be able to search data in their New York offices. They also need to restrict access to certain indexers. What should be configured to allow this type of action?
A user recently installed an application to index NCINX access logs. After configuring the application, they realize that no data is being ingested. Which configuration file do they need to edit to ingest the access logs to ensure it remains unaffected after upgrade?
Which feature of Splunk’s role configuration can be used to aggregate multiple roles intended for groups of
users?
An organization wants to collect Windows performance data from a set of clients, however, installing Splunk
software on these clients is not allowed. What option is available to collect this data in Splunk Enterprise?
Syslog files are being monitored on a Heavy Forwarder.
Where would the appropriate TRANSFORMS setting be deployed to reroute logs based on the event message?
The volume of data from collecting log files from 50 Linux servers and 200 Windows servers will require
multiple indexers. Following best practices, which types of Splunk component instances are needed?
Given a forwarder with the following outputs.conf configuration:
[tcpout : mypartner]
Server = 145.188.183.184:9097
[tcpout : hfbank]
server = inputsl . mysplunkhfs . corp : 9997 , inputs2 . mysplunkhfs . corp : 9997
Which of the following is a true statement?
How is data handled by Splunk during the input phase of the data ingestion process?
What action could be taken to prevent a license warning with an ingest-based license?
What event-processing pipelines are used to process data for indexing? (select all that apply)
When using a directory monitor input, specific source types can be selectively overridden using which configuration file?
Which of the following are supported options when configuring optional network inputs?
The CLI command splunk add forward-server indexer: < receiving-port > will create stanza(s) in
which configuration file?
What are the minimum required settings when creating a network input in Splunk?
Which feature in Splunk allows Event Breaking, Timestamp extractions, and any advanced configurations
found in props.conf to be validated all through the UI?
When working with an indexer cluster, what changes with the global precedence when comparing to a standalone deployment?
This file has been manually created on a universal forwarder
A new Splunk admin comes in and connects the universal forwarders to a deployment server and deploys the same app with a new

Which file is now monitored?
A security team needs to ingest a static file for a specific incident. The log file has not been collected previously and future updates to the file must not be indexed.
Which command would meet these needs?
When deploying apps on Universal Forwarders using the deployment server, what is the correct component and location of the app before it is deployed?
A Universal Forwarder is collecting two separate sources of data (A,B). Source A is being routed through a Heavy Forwarder and then to an indexer. Source B is being routed directly to the indexer. Both sets of data require the masking of raw text strings before being written to disk. What does the administrator need to do to
ensure that the masking takes place successfully?
The universal forwarder has which capabilities when sending data? (select all that apply)
Which option on the Add Data menu is most useful for testing data ingestion without creating inputs.conf?
The following stanzas in inputs. conf are currently being used by a deployment client:
[udp: //145.175.118.177:1001
Connection_host = dns
sourcetype = syslog
Which of the following statements is true of data that is received via this input?
Which Splunk component distributes apps and certain other configuration updates to search head cluster members?
In a distributed environment, which Splunk component is used to distribute apps and configurations to the
other Splunk instances?
Seven different network switches are sending traffic to a server hosting a Universal Forwarder . Three of the devices are sending TCP data and four of the devices are sending UDP data.
What is the minimum number of input stanzas that must be created on the Universal Forwarder to successfully capture data from all seven sources?
A Splunk app named cisco_collector contains a Python modular input. Where in Splunk’s directory structure will the modular input script be located?
Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)