Search heads in a company's European offices need to be able to search data in their New York offices. They also need to restrict access to certain indexers. What should be configured to allow this type of action?
A. Indexer clustering
B. LDAP control
C. Distributed search
D. Search head clustering
Windows can prevent a Splunk forwarder from reading open files. If files need to be read while they are being written to, what type of input stanza needs to be created?
A. Tail Reader
B. Upload
C. MonitorNoHandIe
D. Monitor
Syslog files are being monitored on a Heavy Forwarder. Where would the appropriate TRANSFORMS setting be deployed to reroute logs based on the event message?
A. Heavy Forwarder
B. Indexer
C. Search head
D. Deployment server
Which Splunk component consolidates the individual results and prepares reports in a distributed environment?
A. Indexers
B. Forwarder
C. Search head
D. Search peers
Which of the following accurately describes HTTP Event Collector indexer acknowledgement?
A. It requires a separate channel provided by the client.
B. It is configured the same as indexer acknowledgement used to protect in-flight data.
C. It can be enabled at the global setting level.
D. It stores status information on the Splunk server.
Which of the following are reasons to create separate indexes? (Choose all that apply.)
A. Different retention times.
B. Increase number of users.
C. Restrict user permissions.
D. File organization.
Event processing occurs at which phase of the data pipeline?
A. Search
B. Indexing
C. Parsing
D. Input
Which configuration files are used to transform raw data ingested by Splunk? (Choose all that apply.)
A. props.conf
B. inputs.conf
C. rawdata.conf
D. transforms.conf
In case of a conflict between a whitelist and a blacklist input setting, which one is used?
A. Blacklist
B. Whitelist
C. They cancel each other out.
D. Whichever is entered into the configuration first.
An admin is running the latest version of Splunk with a 500 GB license. The current daily volume of new data
is 300 GB per day. To minimize license issues, what is the best way to add 10 TB of historical data to the
index?
A. Buy a bigger Splunk license.
B. Add 2.5 TB each day for the next 5 days.
C. Add all 10 TB in a single 24 hour period.
D. Add 200 GB of historical data each day for 50 days.