Winter Special Limited Time 65% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: myex65

 
Home > Splunk > Splunk Core Certified Consultant > SPLK-3003

SPLK-3003 Splunk Core Certified Consultant Question and Answers

Question # 4

A customer has a multisite cluster (two sites, each site in its own data center) and users experiencing a slow response when searches are run on search heads located in either site. The Search Job Inspector shows the delay is being caused by search heads on either site waiting for results to be returned by indexers on the opposing site. The network team has confirmed that there is limited bandwidth available between the two data centers, which are in different geographic locations.

Which of the following would be the least expensive and easiest way to improve search performance?

A.

Configure site_search_factor to ensure a searchable copy exists in the local site for each search head.

B.

Move all indexers and search heads in one of the data centers into the same site.

C.

Install a network pipe with more bandwidth between the two data centers.

D.

Set the site setting on each indexer in the server.conf clustering stanza to be the same for all indexers regardless of site.

Full Access
Question # 5

A customer has been using Splunk for one year, utilizing a single/all-in-one instance. This single Splunk server is now struggling to cope with the daily ingest rate. Also, Splunk has become a vital system in day-to-day operations making high availability a consideration for the Splunk service. The customer is unsure how to design the new environment topology in order to provide this.

Which resource would help the customer gather the requirements for their new architecture?

A.

Direct the customer to the docs.splunk.com and tell them that all the information to help them select the right design is documented there.

B.

Ask the customer to engage with the sales team immediately as they probably need a larger license.

C.

Refer the customer to answers.splunk.com as someone else has probably already designed a system that meets their requirements.

D.

Refer the customer to the Splunk Validated Architectures document in order to guide them through which approved architectures could meet their requirements.

Full Access
Question # 6

A Splunk Index cluster is being installed and the indexers need to be configured with a license master. After the customer provides the name of the license master, what is the next step?

A.

Enter the license master configuration via Splunk web on each indexer before disabling Splunk web.

B.

Update /opt/splunk/etc/master-apps/_cluster/default/server.conf on the cluster master and apply a cluster bundle.

C.

Update the Splunk PS base config license app and copy to each indexer.

D.

Update the Splunk PS base config license app and deploy via the cluster master.

Full Access
Question # 7

A customer is having issues with truncated events greater than 64K. What configuration should be deployed to a universal forwarder (UF) to fix the issue?

A.

None. Splunk default configurations will process the events as needed; the UF is not causing truncation.

B.

Configure the best practice magic 6 or great 8 props.conf settings.

C.

EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings per sourcetype.

D.

Global EVENT_BREAKER_ENABLE and EVENT_BREAKER regular expression settings.

Full Access
Question # 8

A customer has 30 indexers in an indexer cluster configuration and two search heads. They are working on writing SPL search for a particular use-case, but are concerned that it takes too long to run for short time durations.

How can the Search Job Inspector capabilities be used to help validate and understand the customer concerns?

A.

Search Job Inspector provides statistics to show how much time and the number of events each indexer has processed.

B.

Search Job Inspector provides a Search Health Check capability that provides an optimized SPL query the customer should try instead.

C.

Search Job Inspector cannot be used to help troubleshoot the slow performing search; customer should review index=_introspection instead.

D.

The customer is using the transaction SPL search command, which is known to be slow.

Full Access
Question # 9

In which of the following scenarios is a subsearch the most appropriate?

A.

When joining results from multiple indexes.

B.

When dynamically filtering hosts.

C.

When filtering indexed fields.

D.

When joining multiple large datasets.

Full Access
Question # 10

A customer has a number of inefficient regex replacement transforms being applied. When under heavy load the indexers are struggling to maintain the expected indexing rate. In a worst case scenario, which queue(s) would be expected to fill up?

A.

Typing, merging, parsing, input

B.

Parsing

C.

Typing

D.

Indexing, typing, merging, parsing, input

Full Access
Question # 11

Which of the following statements applies to indexer discovery?

A.

The Cluster Master (CM) can automatically discover new indexers added to the cluster.

B.

Forwarders can automatically discover new indexers added to the cluster.

C.

Deployment servers can automatically configure new indexers added to the cluster.

D.

Search heads can automatically discover new indexers added to the cluster.

Full Access
Question # 12

Consider the scenario where the /var/log directory contains the files secure, messages, cron, audit. A customer has created the following inputs.conf stanzas in the same Splunk app in order to attempt to monitor the files secure and messages:

Which file(s) will actually be actively monitored?

A.

/var/log/secure

B.

/var/log/messages

C.

/var/log/messages, /var/log/cron, /var/log/audit, /var/log/secure

D.

/var/log/secure, /var/log/messages

Full Access
Copyright myexamcollection.com. All Right Reserved.