FiltersDone

Question type

Essay

Multiple Choice

Short Answer

True False

Matching

Exam 5: Splunk Enterprise Security Certified Admin

Show Answer

Share

---

All types

Filters

Study FlashcardsPractice ExamLearn

Question 21

Multiple Choice

Review LaterAdd Note

Review Later

Consider a use case involving firewall data. There is no Splunk-supported Technical Add-On, but the vendor has built one. What are the items that must be evaluated before installing the add-on? (Select all that apply.)

A) Identify number of scheduled or real-time searches.
B) Validate if this Technical Add-On enables event data for a data model.
C) Identify the maximum number of forwarders Technical Add-On can support.
D) Verify if Technical Add-On needs to be installed onto both a search head or indexer.

Correct Answer

verified

Show Answer

Question 22

Multiple Choice

Review LaterAdd Note

Review Later

A customer has installed a 500GB Enterprise license. They also purchased and installed a 300GB, no enforcement license on the same license master. How much data can the customer ingest before search is locked out?

A) 300GB. After this limit, search is locked out.
B) 500GB. After this limit, search is locked out.
C) 800GB. After this limit, search is locked out.
D) Search is not locked out. Violations are still recorded.

Correct Answer

verified

Show Answer

Question 23

Multiple Choice

Review LaterAdd Note

Which command will permanently decommission a peer node operating in an indexer cluster?

What is the algorithm used to determine captaincy in a Splunk search head cluster?

Which of the following is a way to exclude search artifacts when creating a diag ?

Which of the following statements about integrating with third-party systems is true? (Select all that apply.)

When converting from a single-site to a multi-site cluster, what happens to existing single-site clustered buckets?

How does IT Service Intelligence (ITSI) impact the planning of a Splunk deployment?

A Splunk user successfully extracted an ip address into a field called src_ip . Their colleague cannot see that field in their search results with events known to have . Which of the following may explain the problem? (Select all that apply.)

Which of the following should be done when installing Enterprise Security on a Search Head Cluster? (Select all that apply.)

Of the following types of files within an index bucket, which file type may consume the most disk?

In an existing Splunk environment, the new index buckets that are created each day are about half the size of the incoming data. Within each bucket, about 30% of the space is used for rawdata and about 70% for index files. What additional information is needed to calculate the daily disk consumption, per indexer, if indexer clustering is implemented?

Which of the following should be included in a deployment plan?

Which index-time props.conf attributes impact indexing performance? (Select all that apply.)

Which of the following is true regarding Splunk Enterprise performance? (Select all that apply.)

Which tool(s) can be leveraged to diagnose connection problems between an indexer and forwarder? (Select all that apply.)

When adding or decommissioning a member from a Search Head Cluster (SHC) , what is the proper order of operations?

Which component in the splunkd.log will log information related to bad event breaking?

When planning a search head cluster, which of the following is true?

A customer plans to ingest 600 GB of data per day into Splunk. They will have six concurrent users, and they also want high data availability and high search performance. The customer is concerned about cost and wants to spend the minimum amount on the hardware for Splunk. How many indexers are recommended for this deployment?