Free Splunk Core Certified Consultant Exam SPLK-3003 Exam Practice Test

When monitoring and forwarding events collected from a file containing unstructured textual events, what is the difference in the Splunk2Splunk payload traffic sent between a universal forwarder (UF) and indexer compared to the Splunk2Splunk payload sent between a heavy forwarder (HF) and the indexer layer? (Assume that the file is being monitored locally on the forwarder.)

• The payload format sent from the UF versus the HF is exactly the same. The payload size is identical because they're both sending 64K chunks.
• The UF sends a stream of data containing one set of medata fields to represent the entire stream, whereas the HF sends individual events, each with their own metadata fields attached, resulting in a lager payload.
• The UF will generally send the payload in the same format, but only when the sourcetype is specified in the inputs.conf and EVENT_BREAKER_ENABLE is set to true.
• The HF sends a stream of 64K TCP chunks with one set of metadata fields attached to represent the entire stream, whereas the UF sends individual events, each with their own metadata fields attached.

A customer has 30 indexers in an indexer cluster configuration and two search heads. They are working on writing SPL search for a particular use-case, but are concerned that it takes too long to run for short time durations.How can the Search Job Inspector capabilities be used to help validate and understand the customer concerns?

• Search Job Inspector provides statistics to show how much time and the number of events each indexer has processed.
• Search Job Inspector provides a Search Health Check capability that provides an optimized SPL query the customer should try instead.
• Search Job Inspector cannot be used to help troubleshoot the slow performing search; customer should review index=_introspection instead.
• The customer is using the transaction SPL search command, which is known to be slow.

When using SAML, where does user authentication occur?

• Splunk generates a SAML assertion that authenticates the user.
• The Service Provider (SP) decodes the SAML request and authenticates the user.
• The Identity Provider (IDP) decodes the SAML request and authenticates the user.
• The Service Provider (SP) generates a SAML assertion that authenticates the user.

A customer has the following Splunk instances within their environment: An indexer cluster consisting of a cluster master/master node and five clustered indexers, two search heads (no search head clustering), a deployment server, and a license master. The deployment server and license master are running on their own single-purpose instances. The customer would like to start using the Monitoring Console (MC) to monitor the whole environment.On the MC instance, which instances will need to be configured as distributed search peers by specifying them via the UI using the settings menu?

• Just the cluster master/master node.
• Indexers, search heads, deployment server, license master, cluster master/master node.
• Search heads, deployment server, license master, cluster master/master node
• Deployment server, license master

A customer is using both internal Splunk authentication and LDAP for user management.If a username exists in both $SPLUNK_HOME/etc/passwd and LDAP, which of the following statements is accurate?

• The internal Splunk authentication will take precedence.
• Authentication will only succeed if the password is the same in both systems.
• The LDAP user account will take precedence.
• Splunk will error as it does not support overlapping usernames

The universal forwarder (UF) should be used whenever possible, as it is smaller and more efficient. In which of the following scenarios would a heavy forwarder (HF) be a more appropriate choice?

• When a predictable version of Python is required.
• When filtering 10%--15% of incoming events.
• When monitoring a log file.
• When running a script.

What happens when an index cluster peer freezes a bucket?

• All indexers with a copy of the bucket will delete it.
• The cluster master will ensure another copy of the bucket is made on the other peers to meet the replication settings.
• The cluster master will no longer perform fix-up activities for the bucket.
• All indexers with a copy of the bucket will immediately roll it to frozen.

Report acceleration has been enabled for a specific use case. In which bucket location is the corresponding CSV file located?

• thawedPath
• summaryHomePath
• tstatsHomePath
• homePath, coldPath

A customer has been using Splunk for one year, utilizing a single/all-in-one instance. This single Splunk server is now struggling to cope with the daily ingest rate. Also, Splunk has become a vital system in day-to-day operations making high availability a consideration for the Splunk service. The customer is unsure how to design the new environment topology in order to provide this.Which resource would help the customer gather the requirements for their new architecture?

• Direct the customer to the docs.splunk.com and tell them that all the information to help them select the right design is documented there.
• Ask the customer to engage with the sales team immediately as they probably need a larger license.
• Refer the customer to answers.splunk.com as someone else has probably already designed a system that meets their requirements.
• Refer the customer to the Splunk Validated Architectures document in order to guide them through which approved architectures could meet their requirements.

A customer has a network device that transmits logs directly with UDP or TCP over SSL. Using PS best practices, which ingestion method should be used?

• Open a TCP port with SSL on a heavy forwarder to parse and transmit the data to the indexing tier.
• Open a UDP port on a universal forwarder to parse and transmit the data to the indexing tier.
• Use a syslog server to aggregate the data to files and use a heavy forwarder to read and transmit the data to the indexing tier.
• Use a syslog server to aggregate the data to files and use a universal forwarder to read and transmit the data to the indexing tier.